commit ed9b2df569f3cbc7fcfaf475a0f18d6108b9a244 Author: Watson Sato Date: Fri Feb 25 18:12:54 2022 +0100 Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch. diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 5b2cc0f..a641eee 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R4. + DISA STIG for Red Hat Enterprise Linux 8 V1R5. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index e1f0f71..07ff3cb 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R4. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml similarity index 81% rename from shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml rename to shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml index 46c5fa1..216e91f 100644 --- a/shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 27 Oct 20213.2.2.360791.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. @@ -80,13 +80,13 @@ $ sudo cat /proc/sys/crypto/fips_enabled 1 -If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. +If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001199Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. -Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. @@ -96,7 +96,7 @@ $ sudo blkid /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" -Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that all local disk partitions are encrypted, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010040RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010040RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -293,7 +293,7 @@ $ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf auth.*;authpriv.*;daemon.* /var/log/secure -If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>RHEL-08-010090RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. +If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>RHEL-08-010090RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. @@ -301,11 +301,11 @@ When there is a chain of trust, usually the top entity to be trusted becomes the This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000185Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000185Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. -Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into the following file: +Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file: -/etc/sssd/pki/sssd_auth_ca_db.pemVerify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +/etc/sssd/pki/sssd_auth_ca_db.pemVerify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Check that the system has a valid DoD root CA installed with the following command: @@ -356,19 +356,19 @@ $ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ -Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010130The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. +Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010130The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. +Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. -Edit/modify the following line in the "/etc/pam.d/password-auth" file and set "rounds" to a value no lower than "5000": +Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": -password sufficient pam_unix.so sha512 rounds=5000Check that a minimum number of hash rounds is configured by running the following command: +SHA_CRYPT_MIN_ROUNDS 5000Check that a minimum number of hash rounds is configured by running the following command: -$ sudo grep rounds /etc/pam.d/password-auth +$ sudo egrep "^SHA_CRYPT_" /etc/login.defs -password sufficient pam_unix.so sha512 rounds=5000 +If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. -If "rounds" has a value below "5000", or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: @@ -404,21 +404,21 @@ $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue -If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010160The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. +If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010160The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so: -password sufficient pam_unix.so sha512 rounds=5000Verify that the pam_unix.so module is configured to use sha512. +password sufficient pam_unix.so sha512Verify that the pam_unix.so module is configured to use sha512. Check that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command: $ sudo grep password /etc/pam.d/password-auth | grep pam_unix -password sufficient pam_unix.so sha512 rounds=5000 +password sufficient pam_unix.so sha512 If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010161RHEL 8 must prevent system daemons from using Kerberos for authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -661,25 +661,40 @@ $ sudo update-crypto-policies --show FIPS -If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010294The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - -RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. - -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: - -MinProtocol = TLSv1.2 - -A reboot is required for the changes to take effect.Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: - -$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config - -MinProtocol = TLSv1.2 - -If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010295The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010294The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file. + +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: + +For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: +MinProtocol = TLSv1.2 + +For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: +TLS.MinProtocol = TLSv1.2 +DTLS.MinProtocol = DTLSv1.2 +A reboot is required for the changes to take effect.Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: + +For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: + +$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config + +MinProtocol = TLSv1.2 + +If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding. + +For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: + +$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config + +TLS.MinProtocol = TLSv1.2 +DTLS.MinProtocol = DTLSv1.2 + +If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than DTLSv1.2, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010295The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. @@ -1077,23 +1092,23 @@ $ sudo yum list installed openssl-pkcs11 openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda -If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010400RHEL 8 must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. +If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010400RHEL 8 must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001948Configure the operating system to implement certificate status checking for multifactor authentication. +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001948Configure the operating system to implement certificate status checking for multifactor authentication. Review the "/etc/sssd/sssd.conf" file to determine if the system is configured to prevent OCSP or certificate verification. -Add the following line to the "/etc/sssd/sssd.conf" file: +Add the following line to the [sssd] section of the "/etc/sssd/sssd.conf" file: certificate_verification = ocsp_dgst=sha1 The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: -$ sudo systemctl restart sssd.serviceVerify the operating system implements certificate status checking for multifactor authentication. +$ sudo systemctl restart sssd.serviceVerify the operating system implements certificate status checking for multifactor authentication. Check to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command: @@ -1455,23 +1470,7 @@ $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config PermitRootLogin no -If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010560The auditd service must be running in RHEL 8.<VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Start the auditd service, and enable the auditd service with the following commands: - -$ sudo systemctl start auditd.service - -$ sudo systemctl enable auditd.serviceVerify the audit service is enabled and active with the following commands: - -$ sudo systemctl is-enabled auditd - -enabled - -$ sudo systemctl is-active auditd - -active - -If the service is not "enabled" and "active" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010561The rsyslog service must be running in RHEL 8.<VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. +If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010561The rsyslog service must be running in RHEL 8.<VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Start the auditd service, and enable the rsyslog service with the following commands: @@ -2361,23 +2360,41 @@ $ sudo grep -i lock-command /etc/tmux.conf set -g lock-command vlock -If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - -Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following line to the end of the "/etc/bashrc" configuration file: - -[ -n "$PS1" -a -z "$TMUX" ] && exec tmux - -This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following command: - -$ sudo grep -i tmux /etc/bashrc +If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + +Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -[ -n "$PS1" -a -z "$TMUX" ] && exec tmux +If [ "$PS1" ]; then +parent=$(ps -o ppid= -p $$) +name=$(ps -o comm= -p $parent) +case "$name" in (sshd|login) exec tmux ;; esac +fi -If "tmux" is not configured as the example above, is commented out, or missing from the "/etc/bashrc" initialization file, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: + +Determine if tmux is currently running: +$ sudo ps all | grep tmux | grep -v grep + +If the command does not produce output, this is a finding. + +Determine the location of the tmux script: +$ sudo grep tmux /etc/bashrc/etc/profile.d/* + +/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac + +Review the tmux script by using the following example: +$ sudo cat /etc/profile.d/tmux.sh +If [ "$PS1" ]; then +parent=$(ps -o ppid= -p $$) +name=$(ps -o comm= -p $parent) +case "$name" in (sshd|login) exec tmux ;; esac +fi + +If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. @@ -2520,31 +2537,23 @@ matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test -If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020100RHEL 8 must ensure a password complexity module is enabled.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth - -Note the value of "retry" set in these configuration files should be between "1" and "3". Manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000192Configure the operating system to use "pwquality" to enforce password complexity rules. +If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020100RHEL 8 must ensure the password complexity module is enabled in the password-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. -Add the following line to both "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" (or modify the line to have the required value): +Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): -password required pam_pwquality.so retry=3Verify the operating system uses "pwquality" to enforce the password complexity rules. +password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. -Check for the use of "pwquality" with the following commands: +Check for the use of "pwquality" in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality -password required pam_pwquality.so retry=3 - -$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality +password required pam_pwquality.so -password required pam_pwquality.so retry=3 - -If both commands do not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. - -If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2586,7 +2595,7 @@ $ sudo grep dcredit /etc/security/pwquality.conf dcredit = -1 -If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2594,13 +2603,13 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): -maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: +maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: $ sudo grep maxclassrepeat /etc/security/pwquality.conf maxclassrepeat = 4 -If the value of "maxclassrepeat" is set to more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2675,21 +2684,21 @@ $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020220RHEL 8 passwords must be prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. - -RHEL 8 utilizes "pwquality" consecutively as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth. - -Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020220RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. + +RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth. + +Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations. -Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): +Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value): -password required pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system prohibits password reuse for a minimum of five generations. +password required pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations. -Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: +Check for the value of the "remember" argument in "/etc/pam.d/password-auth" with the following command: -$ sudo grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth +$ sudo grep -i remember /etc/pam.d/password-auth password required pam_pwhistory.so use_authtok remember=5 retry=3 @@ -3065,23 +3074,7 @@ $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT -If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030050The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. - -When availability is an overriding concern, other approved actions in response to an audit failure are as follows: - -1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. - -2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000140Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs": - -max_log_file_action = syslogVerify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. - -Check which action RHEL 8 takes when the audit storage volume is full with the following command: - -$ sudo grep max_log_file_action /etc/audit/auditd.conf - -max_log_file_action=syslog - -If the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030060The RHEL 8 audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. +If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030060The RHEL 8 audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: @@ -3453,127 +3446,40 @@ $ sudo grep -w /usr/bin/su /etc/audit/audit.rules -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030200The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "lremovexattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "lremovexattr" system call, by running the following command: - -$ sudo grep -w lremovexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030210The RHEL 8 audit system must be configured to audit any usage of the removexattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Removexattr" is a system call that removes extended attributes. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "removexattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "removexattr" system call, by running the following command: - -$ sudo grep -w removexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030220The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "lsetxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "lsetxattr" system call, by running the following command: - -$ sudo grep -w lsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030230The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The auid representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "fsetxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "fsetxattr" system call, by running the following command: - -$ sudo grep -w fsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030240The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "fremovexattr" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030200The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +"Setxattr" is a system call used to set an extended attribute value. +"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. +"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. +"Removexattr" is a system call that removes extended attributes. +"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. +"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "fremovexattr" system call, by running the following command: +The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: -$ sudo grep -w fremovexattr /etc/audit/audit.rules +$ sudo grep xattr /etc/audit/audit.rules --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030250Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030250Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. @@ -3605,31 +3511,7 @@ $ sudo grep -w chcon /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030270The RHEL 8 audit system must be configured to audit any usage of the setxattr system call.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to audit the execution of the "setxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify if RHEL 8 is configured to audit the execution of the "setxattr" system call, by running the following command: - -$ sudo grep -w setxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030280Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030280Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. @@ -3903,115 +3785,52 @@ $ sudo grep -w newgrp /etc/audit/audit.rules -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030360Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" command is used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k module_chng --a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -k module_chng - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "init_module" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "init_module" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k module_chng --a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -k module_chng - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030361Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" command will rename the specified files by replacing the first occurrence of expression in their name by replacement. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rename" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "rename" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "rename" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030362Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "renameat" command renames a file, moving it between directories if required. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "renameat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "renameat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "renameat" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030363Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rmdir" command removes empty directories. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rmdir" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "rmdir" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "rmdir" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030364Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "unlink" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "unlink" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "unlink" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "unlink" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030365Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "unlinkat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "unlinkat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "unlinkat" /etc/audit/audit.rules +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030360Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: + +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng + +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "init_module" and "finit_module" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep init_module /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng + +If the command does not return an audit rule for "init_module" and "finit_module" or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030361Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. + +The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. +The "rmdir" system call removes empty directories. +The "renameat" system call renames a file, moving it between directories if required. +The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: --a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030370Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep 'rename\|unlink\|rmdir' /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete + +If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030370Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password. @@ -4027,24 +3846,6 @@ $ sudo grep -w gpasswd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030380Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "finit_module" command is used to load a kernel module. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "finit_module" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng --a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "finit_module" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w "finit_module" /etc/audit/audit.rules - --a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng --a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng - If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030390Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. @@ -4095,277 +3896,87 @@ $ sudo grep -w chsh /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030420Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "truncate" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw truncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030430Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "openat" system call opens a file specified by a relative pathname. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "openat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "openat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw openat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030440Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "open system" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "open" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw open /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030450Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open_by_handle_at" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "open_by_handle_at" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030460Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ftruncate" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ftruncate" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw ftruncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030470Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "creat" system call is used to open and possibly create a file or device. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "creat" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "creat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -iw creat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access - --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access - -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030480Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown" command by adding or updating the following line to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chown" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w chown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030490Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod" command by adding or updating the following line to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chmod" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w chmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030500Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lchown" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "lchown" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w lchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030510Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchownat" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchownat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w fchownat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030520Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchown" system call by adding or updating the following line to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchown" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w fchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030530Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. - -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmodat" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchmodat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": - -$ sudo grep -w fchmodat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030540Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchmod" system call is used to change permissions of a file. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030420Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. + +The "creat" system call is used to open and possibly create a file or device. +The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". +The "openat" system call opens a file specified by a relative pathname. +The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmod" system call by adding or updating the following line to "/etc/audit/rules.d/audit.rules": +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access + +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access + +If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +If the output does not produce rules containing "-F exit=-EACCES", this is a finding. +If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030480Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. + +The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. +The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. +The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchmod" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules": +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -$ sudo grep -w fchmod /etc/audit/audit.rules +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat" and "lchown" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep chown /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +If audit rules are not defined for "chown", "fchown", "fchownat", and "lchown" or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030490Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. + +The "fchmod" system call is used to change permissions of a file. +The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. + +When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030550Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls by using the following command to check the file system rules in "/etc/audit/audit.rules": + +$ sudo grep chmod /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat", or any of the lines returned are commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030550Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. @@ -4714,17 +4325,17 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. +If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001849Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records. -If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. +If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Determine to which partition the audit records are being written with the following command: -$ sudo grep log_file /etc/audit/auditd.conf +$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command: @@ -5016,29 +4627,18 @@ $ sudo yum remove rsh-serverSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040020RHEL 8 must cover or disable the built-in or attached camera when not in use.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the rsh-server package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040020RHEL 8 must cover or disable the built-in or attached camera when not in use.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. -Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000381Configure the operating system to disable the built-in or attached camera when not in use. - -First determine the driver being used by the camera with the following command: +Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000381Configure the operating system to disable the built-in or attached camera when not in use. -$ sudo dmesg | grep -i video +Build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example: -[ 44.630131] ACPI: Video Device [VGA] -[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7 -[ 46.670133] videodev: Linux video capture interface: v2.00 -[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675) -[ 47.235752] usbcore: registered new interface driver uvcvideo -[ 47.235756] USB Video Class driver (1.1.1) - -Next, build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example: - -##Disable WebCam +install uvcvideo /bin/true blacklist uvcvideo -Reboot the system for the settings to take effect.If the device or operating system does not have a camera installed, this requirement is not applicable. +Reboot the system for the settings to take effect.If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. @@ -5050,24 +4650,21 @@ For a built-in camera, the camera must be protected by a camera cover (e.g., lap If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: -Determine if the camera is disabled via blacklist with the following command: +Verify the operating system disables the ability to load the uvcvideo kernel module. -$ sudo grep blacklist /etc/modprobe.d/* +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" -/etc/modprobe.d/blacklist.conf:blacklist uvcvideo +install uvcvideo /bin/true -Determine if a camera driver is in use with the following command: +If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding. -$ sudo dmesg | grep -i video +Verify the camera is disabled via blacklist with the following command: -[ 44.630131] ACPI: Video Device [VGA] -[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7 -[ 46.670133] videodev: Linux video capture interface: v2.00 -[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675) -[ 47.235752] usbcore: registered new interface driver uvcvideo -[ 47.235756] USB Video Class driver (1.1.1) +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist" + +blacklist uvcvideo -If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040021RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040021RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. @@ -5270,25 +4867,16 @@ autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040080RHEL 8 must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. +If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-08-040080RHEL 8 must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure the operating system to disable the ability to use the USB Storage kernel module. +Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000778Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices. -Create a file under "/etc/modprobe.d" with the following command: - -$ sudo touch /etc/modprobe.d/usb-storage.conf - -Add the following line to the created file: +Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install usb-storage /bin/true +blacklist usb-storage -Configure the operating system to disable the ability to use USB mass storage devices. - -$ sudo vi /etc/modprobe.d/blacklist.conf - -Add or update the line: - -blacklist usb-storageVerify the operating system disables the ability to load the USB Storage kernel module. +Reboot the system for the settings to take effect.Verify the operating system disables the ability to load the USB Storage kernel module. $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true" @@ -5304,19 +4892,28 @@ $ sudo grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" blacklist usb-storage -If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>RHEL-08-040090A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.<VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. +If the command does not return any output or the output is not "blacklist usb-storage" and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>RHEL-08-040090A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.<VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. -RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002314Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands: +RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002314Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands: $ sudo firewall-cmd --permanent --new-zone=[custom] $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml -This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality. +This will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name. +Reload the firewall rules to make the new [custom] zone available to load: +$ sudo firewall-cmd --reload + +Set the default zone to the new [custom] zone: $ sudo firewall-cmd --set-default-zone=[custom] -Note: This is a runtime and permanent change.Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: +Note: This is a runtime and permanent change. +Add any interfaces to the new [custom] zone: +$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33 + +Reload the firewall rules for changes to take effect: +$ sudo firewall-cmd --reloadVerify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state @@ -6467,22 +6064,13 @@ $ sudo egrep "[+]?acl" /etc/aide.conf VarFile = OwnerMode+n+l+X+acl -If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040320The graphical display manager must not be installed on RHEL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: +If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040320The graphical display manager must not be installed on RHEL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: Open an SSH session and enter the following commands: -$ sudo systemctl set-default multi-user.target - $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland -A reboot is required for the changes to take effect.Verify that the system is configured to boot to the command line: - -$ systemctl get-default -multi-user.target - -If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. - -Verify that a graphical user interface is not installed: +A reboot is required for the changes to take effect.Verify that a graphical user interface is not installed: $ rpm -qa | grep xorg | grep server @@ -6610,11 +6198,11 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw -Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. +Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' @@ -6622,10 +6210,11 @@ $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | g /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw -If no results are returned, this is a finding +If no results are returned, this is a finding. +If results are returned from more than one file location, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -6635,11 +6224,13 @@ $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] -Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. +Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. $ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* /etc/sudoers:Defaults timestamp_timeout=0 +If results are returned from more than one file location, this is a finding. + If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -6670,19 +6261,7 @@ $ sudo grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true -If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010131The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. - -Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. - -Edit/modify the following line in the "etc/pam.d/system-auth" file and set "rounds" to a value no lower than "5000": - -password sufficient pam_unix.so sha512 rounds=5000Check that a minimum number of hash rounds is configured by running the following command: - -$ sudo grep rounds /etc/pam.d/system-auth - -password sufficient pam_unix.so sha512 rounds=5000 - -If "rounds" has a value below "5000", or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010141RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. +If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010141RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to have a unique name for the grub superusers account. @@ -6730,21 +6309,21 @@ $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency -If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010159The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. +If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010159The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. -FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so: -password sufficient pam_unix.so sha512 rounds=5000Verify that pam_unix.so module is configured to use sha512. +password sufficient pam_unix.so sha512Verify that pam_unix.so module is configured to use sha512. Check that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: $ sudo grep password /etc/pam.d/system-auth | grep pam_unix -password sufficient pam_unix.so sha512 rounds=5000 +password sufficient pam_unix.so sha512 If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010201The RHEL 8 SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. @@ -6769,7 +6348,7 @@ $ sudo grep -i clientalive /etc/ssh/sshd_config ClientAliveInterval 600 ClientAliveCountMax 0 -If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010287The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010287The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -6777,17 +6356,17 @@ Cryptographic mechanisms used for protecting the integrity of information includ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd: +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd: -# crypto_policy= +# CRYPTO_POLICY= -A reboot is required for the changes to take effect.Verify that system-wide crypto policies are in effect: +A reboot is required for the changes to take effect.Verify that system-wide crypto policies are in effect: -$ sudo grep -i crypto_policy /etc/sysconfig/sshd +$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd -# crypto_policy= +# CRYPTO_POLICY= -If the "crypto_policy" is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. +If the "CRYPTO_POLICY " is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command: @@ -6819,13 +6398,13 @@ $ sudo grep /var/tmp /etc/fstab UUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2 -If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable. +If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable. Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: $ sudo mount | grep '\s/boot/efi\s' -/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) +/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010731All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: @@ -7114,7 +6693,7 @@ fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) Active: active (running) -If fapolicyd is not enabled and running, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040137The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. +If fapolicyd is not enabled and running, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040137The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. @@ -7124,11 +6703,7 @@ RHEL 8 ships with many optional packages. One such package is a file access poli Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. -Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following command: - -Note: Running this command requires a root shell - -# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts +Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd". With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line: @@ -7138,7 +6713,7 @@ Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the la Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. -permissive = 0Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy. +permissive = 0Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy. Check that "fapolicyd" is in enforcement mode with the following command: @@ -7146,7 +6721,7 @@ $ sudo grep permissive /etc/fapolicyd/fapolicyd.conf permissive = 0 -Check that fapolicyd employs a deny-all policy on system mounts with the following commands: +Check that fapolicyd employs a deny-all policy on system mounts with the following command: $ sudo tail /etc/fapolicyd/fapolicyd.rules @@ -7154,18 +6729,7 @@ allow exe=/usr/bin/python3.7 : ftype=text/x-python deny_audit perm=any pattern=ld_so : all deny perm=any all : all -$ sudo cat /etc/fapolicyd/fapolicyd.mounts - -/dev/shm -/run -/sys/fs/cgroup -/ -/home -/boot -/run/user/42 -/run/user/1000 - -If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040139RHEL 8 must have the USBGuard installed.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +If fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040139RHEL 8 must have the USBGuard installed.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. @@ -7511,4 +7075,201 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /etc/sysctl.d/*.conf If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. -If the configuration file does not begin with "99-", this is a finding. \ No newline at end of file +If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: + +Perform a password reset: +$ sudo passwd [username] +Lock an account: +$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command: + +$ sudo awk -F: '!$2 {print $1}' /etc/shadow + +If the command returns any results, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010331RHEL 8 library directories must have mode 755 or less permissive.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001499Configure the library directories to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755. + +$ sudo chmod 755 [DIRECTORY]Verify the system-wide shared library directories within "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; + +If any system-wide shared library directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010341RHEL 8 library directories must be owned by root.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001499Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". + +$ sudo chown root [DIRECTORY]Verify the system-wide shared library directories are owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; + +If any system-wide shared library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>RHEL-08-010351RHEL 8 library directories must be group-owned by root or a system account.<VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001499Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. + +Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". + +$ sudo chgrp root [DIRECTORY]Verify the system-wide shared library directories are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; + +If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-08-010359The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002696Install the AIDE package by running the following command: + +$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. + +Check that the AIDE package is installed with the following command: + +$ sudo rpm -q aide + +aide-0.16-14.el8.x86_64 + +If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. + +If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. + +Edit the /etc/sudoers file with the following command: + +$ sudo visudo + +Add or modify the following line: +#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: + +$ sudo grep include /etc/sudoers + +#includedir /etc/sudoers.d + +If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. + +Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: + +$ sudo grep include /etc/sudoers.d/* + +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Configure the operating system to require users to supply a password for privilege escalation. + +Check the configuration of the "/etc/ pam.d/sudo" file with the following command: +$ sudo vi /etc/pam.d/sudo + +Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation. + +Check the configuration of the "/etc/pam.d/sudo" file with the following command: + +$ sudo grep pam_succeed_if /etc/pam.d/sudo + +If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020101RHEL 8 must ensure the password complexity module is enabled in the system-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. + +Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value): + +password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. + +Check for the use of "pwquality" in the system-auth file with the following command: + +$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality + +password required pam_pwquality.so + +If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020102RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): + +password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. + +Verify the operating system is configured to limit the "pwquality" retry option to 3. + +Check for the use of the "pwquality" retry option in the system-auth file with the following command: + +$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality + +password required pam_pwquality.so retry=3 + +If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020103RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): + +password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. + +Verify the operating system is configured to limit the "pwquality" retry option to 3. + +Check for the use of the "pwquality" retry option in the password-auth file with the following command: + +$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + +password required pam_pwquality.so retry=3 + +If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): + +retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. + +Verify the operating system is configured to limit the "pwquality" retry option to 3. + +Check for the use of the "pwquality" retry option with the following command: + +$ sudo grep retry /etc/security/pwquality.conf + +retry = 3 + +If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. + +Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: + +$ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth + +If the command returns any results, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020221RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. + +RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth. + +Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations. + +Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value): + +password required pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations. + +Check for the value of the "remember" argument in "/etc/pam.d/password-auth" with the following command: + +$ sudo grep -i remember /etc/pam.d/password-auth + +password required pam_pwhistory.so use_authtok remember=5 retry=3 + +If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040321The graphical display manager must not be the default target on RHEL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: + +Open an SSH session and enter the following commands: + +$ sudo systemctl set-default multi-user.target + +A reboot is required for the changes to take effect.Verify that the system is configured to boot to the command line: + +$ systemctl get-default +multi-user.target + +If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. \ No newline at end of file diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index c2522c9..b9eeff5 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R3. + DISA STIG for Red Hat Enterprise Linux 8 V1R5. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 95d87fd..54bf46d 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes