n | 1 | Verify that RHEL 9 is configured to audit the execution of the "reboot" command with the following command: | n | 1 | Verify that an audit event is generated for any successful/unsuccessful use of the reboot command by performing the following command to check the file system rules in "/etc/audit/audit.rules": |
2 | 2 | ||||
n | 3 | $ sudo auditctl -l | grep reboot | n | 3 | $ sudo grep -w reboot /etc/audit/audit.rules |
4 | 4 | ||||
5 | -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot | 5 | -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot | ||
6 | 6 | ||||
t | 7 | If the command does not return a line, or the line is commented out, this is a finding. | t | 7 | If the command does not return a line, or the line is commented out, then this is a finding. |
t | 1 | RHEL 9 must not have accounts configured with blank or null passwords. | t | 1 | RHEL 9 must have no accounts with blank or null passwords. |
n | 1 | Verify that null or blank passwords cannot be used with the following command: | n | 1 | To verify that null passwords cannot be used, run the following command: |
2 | $ sudo awk -F: '!$2 {print $1}' /etc/shadow | ||||
3 | If this produces any output, it may be possible to log into accounts | ||||
4 | with empty passwords. | ||||
2 | 5 | ||||
t | 3 | $ sudo awk -F: '!$2 {print $1}' /etc/shadow | t | 6 | If Blank or NULL passwords can be used, then this is a finding. |
4 | |||||
5 | If the command returns any results, this is a finding. |
n | 1 | Configure all accounts on RHEL 9 to have a password or lock the account with the following commands: | n | 1 | Configure all accounts on RHEL 9 to have a password or lock |
2 | 2 | the account with the following commands: | |||
3 | Perform a password reset: | 3 | Perform a password reset: | ||
t | 4 | t | |||
5 | $ sudo passwd [username] | 4 | $ sudo passwd [username] | ||
6 | |||||
7 | To lock an account: | 5 | Lock an account: | ||
8 | |||||
9 | $ sudo passwd -l [username] | 6 | $ sudo passwd -l [username] |
f | 1 | Verify RHEL 9 disables the use of user namespaces with the following commands: | f | 1 | Verify RHEL 9 disables the use of user namespaces with the following commands: |
2 | 2 | ||||
3 | Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. | 3 | Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. | ||
4 | 4 | ||||
t | 5 | $ sysctl user.max_user_namespaces | t | 5 | $ sudo sysctl user.max_user_namespaces |
6 | 6 | ||||
7 | user.max_user_namespaces = 0 | 7 | user.max_user_namespaces = 0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. | 9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. |
n | 1 | Verify the ownership of the "/etc/group" file with the following command: | n | 1 | To check the ownership of /etc/group , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/group | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root /etc/group | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/group | t | ||
4 | |||||
5 | root /etc/group | ||||
6 | |||||
7 | If "/etc/group" file does not have an owner of "root", this is a finding. | 7 | If /etc/group does not have an owner of root, then this is a finding. |
f | 1 | Change the owner of the file /etc/group to root by running the following command: | f | 1 | Change the owner of the file /etc/group to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chown root /etc/group | 2 | $ sudo chown root /etc/group |
t | 1 | Verify that RHEL 9 has the rsyslog-gnutls package installed with the following command: | t | 1 | Verify that RHEL 9 has the rsyslog-gnutls package installed with the following command:$ sudo dnf list --installed rsyslog-gnutlsrsyslog-gnutls.x86_64 8.2102.0-101.el9_0.1If the rsyslog-gnutls package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed rsyslog-gnutls | ||||
4 | |||||
5 | rsyslog-gnutls.x86_64 8.2102.0-101.el9_0.1 | ||||
6 | |||||
7 | If the rsyslog-gnutls package is not installed, this is a finding. |
f | 1 | Verify the permissions of the "/etc/ssh/sshd_config" file with the following command: | f | 1 | Verify the permissions of the "/etc/ssh/sshd_config" file with the following command: |
2 | 2 | ||||
3 | $ ls -al /etc/ssh/sshd_config | 3 | $ ls -al /etc/ssh/sshd_config | ||
4 | 4 | ||||
5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | 5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | ||
6 | 6 | ||||
t | 7 | If the "/etc/ssh/sshd_config" permissions are not 0600, this is a finding. | t | 7 | If the "/etc/ssh/sshd_config" permissions are not 0600, then this is a finding. |
t | 1 | The RHEL 9 /etc/group- file must be owned by root. | t | 1 | The RHEL 9 /etc/group- file must be group-owned by root. |
n | 1 | Verify the ownership of the "/etc/group-" file with the following command: | n | 1 | To check the ownership of /etc/group- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/group- | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/group- | t | ||
4 | |||||
5 | root /etc/group- | ||||
6 | |||||
7 | If "/etc/group-" file does not have an owner of "root", this is a finding. | 7 | If /etc/group- does not have an owner of root, then this is a finding. |
t | 1 | Change the owner of the file /etc/group- to root by running the following command: | t | 1 | Change the group of the file /etc/group- to root by running the following command: |
2 | |||||
3 | $ sudo chown root /etc/group- | 2 | $ sudo chgrp root /etc/group- |
f | 1 | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. | f | 1 | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. |
t | 2 | t |
f | 1 | Verify RHEL 9 does not accept IPv6 source-routed packets. | f | 1 | Verify RHEL 9 does not accept IPv6 source-routed packets. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | ||
4 | 4 | ||||
5 | Check the value of the accept source route variable with the following command: | 5 | Check the value of the accept source route variable with the following command: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.all.accept_source_route | t | 7 | $ sudo sysctl net.ipv6.conf.all.accept_source_route |
8 | 8 | ||||
9 | net.ipv6.conf.all.accept_source_route = 0 | 9 | net.ipv6.conf.all.accept_source_route = 0 | ||
10 | 10 | ||||
11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.accept_source_route | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.accept_source_route | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.all.accept_source_route = 0 | 17 | net.ipv6.conf.all.accept_source_route = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not forward IPv6 source-routed packets. | f | 1 | Configure RHEL 9 to not forward IPv6 source-routed packets. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv6.conf.all.accept_source_route = 0 | t | 5 | net.ipv6.conf.all.accept_source_route=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
n | 1 | Verify the group ownership of the "/etc/gshadow-" file with the following command: | n | 1 | To check the group ownership of /etc/gshadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/gshadow- | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/gshadow- | t | ||
4 | |||||
5 | root /etc/gshadow- | ||||
6 | |||||
7 | If "/etc/gshadow-" file does not have a group owner of "root", this is a finding. | 7 | If /etc/gshadow- does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/gshadow- to root by running the following command: | f | 1 | Change the group of the file /etc/gshadow- to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/gshadow- | 2 | $ sudo chgrp root /etc/gshadow- |
t | 1 | The RHEL 9 /etc/crontab file must have mode 0600. | t | 1 | The RHEL 9 file must have mode 0600 /etc/crontab. |
n | 1 | Verify the permissions of /etc/crontab with the following command: | n | 1 | To check the permissions of /etc/crontab , |
2 | run the command: | ||||
3 | $ stat -c "%a %n" /etc/crontab | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 644 | ||||
2 | 6 | ||||
t | 3 | $ stat -c "%a %n" /etc/crontab | t | ||
4 | |||||
5 | 0600 | ||||
6 | |||||
7 | If /etc/crontab does not have a mode of 0600, this is a finding. | 7 | If /etc/crontab does not have unix mode 644 then this is a finding. |
f | 1 | Configure the RHEL 9 file /etc/crontab with mode 600. | f | 1 | Configure the RHEL 9 file /etc/crontab with mode 600. |
2 | 2 | ||||
t | 3 | $ sudo chmod 0600 /etc/crontab | t | 3 | chmod 0600 /etc/crontab |
t | 1 | Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: | t | 1 | Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: |
2 | 2 | ||||
3 | Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. | 3 | Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. | ||
4 | 4 | ||||
5 | $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) | 5 | $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) | ||
6 | 6 | ||||
7 | drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj | 7 | drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj | ||
8 | 8 | ||||
9 | If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding. | 9 | If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding. |
n | 1 | Verify that a separate file system/partition has been created for "/tmp" with the following command: | n | 1 | Verify that a separate file system/partition has been created for /tmp with the following command: |
2 | 2 | ||||
n | 3 | $ mount | grep /tmp | n | 3 | $ mountpoint /tmp |
4 | 4 | ||||
n | 5 | tmpfs /tmp tmpfs noatime,mode=1777 0 0 | n | ||
6 | 5 | ||||
t | 7 | If a separate entry for "/tmp" is not in use, this is a finding. | t | 6 | If "/tmp is is not a mountpoint" is returned, then this is a finding. |
n | 1 | Verify the ownership of the "/etc/shadow" file with the following command: | n | 1 | To check the ownership of /etc/shadow , |
2 | 2 | run the command: | |||
3 | $ sudo stat -c "%U %n" /etc/shadow | 3 | $ sudo stat -c "%U %n" /etc/shadow | ||
4 | 4 | If properly configured, the output should indicate the following owner: | |||
5 | root /etc/shadow | 5 | root /etc/shadow | ||
6 | 6 | ||||
t | 7 | If "/etc/shadow" file does not have an owner of "root", this is a finding. | t | 7 | If /etc/shadow does not have an owner of root, then this is a finding. |
f | 1 | Change the owner of the file /etc/shadow to root by running the following command: | f | 1 | Change the owner of the file /etc/shadow to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chown root /etc/shadow | 2 | $ sudo chown root /etc/shadow |
f | 1 | Verify RHEL 9 does not accept IPv6 source-routed packets by default. | f | 1 | Verify RHEL 9 does not accept IPv6 source-routed packets by default. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | ||
4 | 4 | ||||
5 | Check the value of the accept source route variable with the following command: | 5 | Check the value of the accept source route variable with the following command: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.default.accept_source_route | t | 7 | $ sudo sysctl net.ipv6.conf.default.accept_source_route |
8 | 8 | ||||
9 | net.ipv6.conf.default.accept_source_route = 0 | 9 | net.ipv6.conf.default.accept_source_route = 0 | ||
10 | 10 | ||||
11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_source_route | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_source_route | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.default.accept_source_route = 0 | 17 | net.ipv6.conf.default.accept_source_route = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not forward IPv6 source-routed packets by default. | f | 1 | Configure RHEL 9 to not forward IPv6 source-routed packets by default. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv6.conf.default.accept_source_route = 0 | t | 5 | net.ipv6.conf.default.accept_source_route=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. |
n | 1 | Verify the group ownership of all cron configuration files with the following command: | n | 1 | To check the group ownership of all cron configuration files, |
2 | 2 | run the command: | |||
3 | $ stat -c "%G %n" /etc/cron* | 3 | $ sudo stat -c "%G %n" /etc/cron* | ||
4 | 4 | If properly configured, the output should indicate the following group-owner for all files: | |||
5 | root /etc/cron.d | 5 | root /etc/cron.d | ||
6 | root /etc/cron.daily | 6 | root /etc/cron.daily | ||
7 | root /etc/cron.deny | 7 | root /etc/cron.deny | ||
8 | root /etc/cron.hourly | 8 | root /etc/cron.hourly | ||
9 | root /etc/cron.monthly | 9 | root /etc/cron.monthly | ||
10 | root /etc/crontab | 10 | root /etc/crontab | ||
11 | root /etc/cron.weekly | 11 | root /etc/cron.weekly | ||
12 | 12 | ||||
t | t | 13 | |||
13 | If any crontab is not group owned by root, this is a finding. | 14 | If any crontab is not group owned by group, this is a finding. |
n | 1 | Verify that a separate file system/partition has been created for "/home" with the following command: | n | 1 | Verify that a separate file system/partition has been created for /home with the following command: |
2 | 2 | ||||
n | 3 | $ mount | grep /home | n | 3 | $ mountpoint /home |
4 | 4 | ||||
n | 5 | UUID=fba5000f-2ffa-4417-90eb-8c54ae74a32f on /home type ext4 (rw,nodev,nosuid,noexec,seclabel) | n | ||
6 | 5 | ||||
t | 7 | If a separate entry for "/home" is not in use, this is a finding. | t | 6 | If "/home is is not a mountpoint" is returned, then this is a finding. |
t | 1 | Migrate the "/home" directory onto a separate file system/partition. | t | 1 | Migrate the "/home" directory onto a separate file system. |
n | 1 | Verify the SSH public host key files have a mode of "0644" or less permissive with the following command: | n | 1 | Verify the SSH public host key files have mode "0644" or less permissive with the following command: |
2 | 2 | ||||
3 | Note: SSH public key files may be found in other directories on the system depending on the installation. | 3 | Note: SSH public key files may be found in other directories on the system depending on the installation. | ||
4 | 4 | ||||
5 | $ sudo stat -c "%a %n" /etc/ssh/*.pub | 5 | $ sudo stat -c "%a %n" /etc/ssh/*.pub | ||
6 | 6 | ||||
7 | 644 /etc/ssh/ssh_host_dsa_key.pub | 7 | 644 /etc/ssh/ssh_host_dsa_key.pub | ||
8 | 644 /etc/ssh/ssh_host_ecdsa_key.pub | 8 | 644 /etc/ssh/ssh_host_ecdsa_key.pub | ||
9 | 644 /etc/ssh/ssh_host_ed25519_key.pub | 9 | 644 /etc/ssh/ssh_host_ed25519_key.pub | ||
10 | 644 /etc/ssh/ssh_host_rsa_key.pub | 10 | 644 /etc/ssh/ssh_host_rsa_key.pub | ||
11 | 11 | ||||
t | t | 12 | |||
12 | If any key.pub file has a mode more permissive than "0644", this is a finding. | 13 | If any key.pub file has a mode more permissive than "0644", this is a finding. |
t | 1 | Verify that RHEL 9 has the pcsc-lite package installed with the following command: | t | 1 | Verify that RHEL 9 has the pcsc-lite package installed with the following command:$sudo dnf list --installed pcsc-litepcsc-lite.x86_641.9.4-1.el9If a pcsc-lite package is not installed, this is a finding. |
2 | |||||
3 | $sudo dnf list --installed pcsc-lite | ||||
4 | |||||
5 | pcsc-lite.x86_64 1.9.4-1.el9 | ||||
6 | |||||
7 | If a pcsc-lite package is not installed, this is a finding. |
t | 1 | Verify the SSH server is configured to use only ciphers employing FIPS 140-3 approved algorithms with the following command: | t | 1 | Verify the SSH server is configured to use only ciphers employing FIPS 140-3-approved algorithms with the following command: |
2 | 2 | ||||
3 | $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config | 3 | $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config | ||
4 | 4 | ||||
5 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | 5 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | ||
6 | 6 | ||||
7 | If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding. | 7 | If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding. |
n | 1 | Configure the RHEL 9 SSH server to use only ciphers employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: | n | 1 | Configure the RHEL 9 SSH server to use only ciphers employing FIPS 140-3-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: |
2 | 2 | ||||
t | 3 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | t | 3 | Ciphers=aes256-ctr,aes192-ctr,aes128-ctr |
4 | 4 | ||||
5 | A reboot is required for the changes to take effect. | 5 | A reboot is required for the changes to take effect. |
t | 1 | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | t | ||
2 | |||||
3 | Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. | ||||
4 | |||||
5 | Depending on the infrastruture being used the "pool" directive may not be supported. | 1 | Depending on the infrastruture being used the "pool" directive may not be supported. |
n | 1 | Verify RHEL 9 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands: | n | 1 | Run the following command and verify that time sources are only configure with "server" directive: |
2 | # grep -E "^(server|pool)" /etc/chrony.conf | ||||
3 | A line with the appropriate server should be returned, any line returned starting with "pool" is a finding. | ||||
2 | 4 | ||||
t | 3 | $ sudo grep maxpoll /etc/chrony.conf | t | 5 | If an authoritative remote time server is not configured or configured with pool directive, then this is a finding. |
4 | |||||
5 | server 0.us.pool.ntp.mil iburst maxpoll 16 | ||||
6 | |||||
7 | If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. | ||||
8 | |||||
9 | Verify the "chrony.conf" file is configured to an authoritative DoD time source by running the following command: | ||||
10 | |||||
11 | $ sudo grep -i server /etc/chrony.conf | ||||
12 | server 0.us.pool.ntp.mil | ||||
13 | |||||
14 | If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding. |
f | 1 | Verify the group ownership of the "/etc/ssh/sshd_config" file with the following command: | f | 1 | Verify the group ownership of the "/etc/ssh/sshd_config" file with the following command: |
2 | 2 | ||||
3 | $ ls -al /etc/ssh/sshd_config | 3 | $ ls -al /etc/ssh/sshd_config | ||
4 | 4 | ||||
5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | 5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | ||
6 | 6 | ||||
t | 7 | If the "/etc/ssh/sshd_config" file does not have a group owner of "root", this is a finding. | t | 7 | If the "/etc/ssh/sshd_config" file does not have a group owner of "root", then this is a finding. |
t | 1 | RHEL 9 must enable the Pluggable Authenitcation Module (PAM) interface for SSHD. | t | 1 | RHEL 9 must enable the Pluggable Authenitcation Module interface for SSHD. |
t | 1 | Verify the RHEL9 SSHD is configured to allow for the UsePAM interface with the following command: | t | 1 | Verify the RHEL 9 SSHD is configure to allow for the UsePAM interface with the following command: |
2 | 2 | ||||
3 | $ sudo grep -i usepam /etc/ssh/sshd_config | 3 | $ sudo grep -i usepam /etc/ssh/sshd_config | ||
4 | 4 | ||||
5 | UsePAM yes | 5 | UsePAM yes | ||
6 | 6 | ||||
7 | If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding. | 7 | If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding. |
t | 1 | Configure the RHEL9 SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config". | t | 1 | Configure the RHEL 9 SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config". |
2 | 2 | ||||
3 | UsePAM yes | 3 | UsePAM yes | ||
4 | 4 | ||||
5 | Restart the SSH daemon for the settings to take effect: | 5 | Restart the SSH daemon for the settings to take effect: | ||
6 | 6 | ||||
7 | $ sudo systemctl restart sshd.service | 7 | $ sudo systemctl restart sshd.service |
t | 1 | Alan May | t | 1 | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. |
2 | |||||
3 | Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. | ||||
4 | |||||
5 | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. |
f | 1 | Verify the audit system prevents unauthorized changes with the following command: | f | 1 | Verify the audit system prevents unauthorized changes with the following command: |
2 | 2 | ||||
3 | $ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 | 3 | $ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 | ||
4 | 4 | ||||
5 | -e 2 | 5 | -e 2 | ||
6 | 6 | ||||
t | 7 | If the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules", this is a finding. | t | 7 | If the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules", then this is a finding. |
n | 1 | Verify the ownership of all cron configuration files with the command: | n | 1 | To check the group ownership of all cron configuration files, |
2 | 2 | run the command: | |||
3 | $ stat -c "%U %n" /etc/cron* | 3 | $ sudo stat -c "%U %n" /etc/cron* | ||
4 | 4 | If properly configured, the output should indicate the following owner for all files: | |||
5 | root /etc/cron.d | 5 | root /etc/cron.d | ||
6 | root /etc/cron.daily | 6 | root /etc/cron.daily | ||
7 | root /etc/cron.deny | 7 | root /etc/cron.deny | ||
8 | root /etc/cron.hourly | 8 | root /etc/cron.hourly | ||
9 | root /etc/cron.monthly | 9 | root /etc/cron.monthly | ||
10 | root /etc/crontab | 10 | root /etc/crontab | ||
11 | root /etc/cron.weekly | 11 | root /etc/cron.weekly | ||
12 | 12 | ||||
t | t | 13 | |||
13 | If any crontab is not owned by root, this is a finding. | 14 | If any crontab is not owned by group, this is a finding. |
t | 1 | Verify that RHEL 9 has the aide package installed with the following command: | t | 1 | Verify that RHEL 9 has the aide package installed with the following command:$sudo dnf list --installed aideaide.x86_640.16.100.el9If the aide package is not installed, this is a finding. |
2 | |||||
3 | $sudo dnf list --installed aide | ||||
4 | |||||
5 | aide.x86_64 0.16.100.el9 | ||||
6 | |||||
7 | If the aide package is not installed, this is a finding. |
t | 1 | The RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/group file must have 0644 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/group" file has mode "0644" or less permissive with the following command: | n | 1 | To check the permissions of /etc/group , |
2 | 2 | run the command: | |||
3 | $ sudo stat -c "%a %n" /etc/group | 3 | $ sudo stat -c "%a %n" /etc/group | ||
4 | 4 | If properly configured, the output should indicate the following permissions: | |||
5 | 644 /etc/group | 5 | 644 /etc/group | ||
6 | 6 | ||||
t | 7 | If a value of "0644" or less permissive is not returned, this is a finding. | t | 7 | If /etc/group does not have unix mode 644, then this is a finding. |
t | 1 | Change the mode of the file "/etc/group" to "0644" by running the following command: | t | 1 | Change the permissions of the file "/etc/group" to "0644" by running the following command: |
2 | |||||
3 | $ sudo chmod 0644 /etc/group | 2 | $ sudo chmod 0644 /etc/group |
t | 1 | The RHEL9 audit service must be enabled. | t | 1 | The RHEL 9 audit service must be enabled. |
t | 1 | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. | t | 1 | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. |
2 | 2 | ||||
3 | Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. | 3 | Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. | ||
4 | 4 | ||||
5 | This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. | 5 | This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. |
n | 1 | Verify that RHEL 9 is configured to notify the appropraite interactive users in the event of an audit processing failure. | n | 1 | Find the list of alias maps used by the Postfix mail server for root. |
2 | 2 | ||||
3 | Find the alias maps that are being used with the following command: | 3 | Find the alias maps that are being used with the following command: | ||
4 | 4 | ||||
5 | $ postconf alias_maps | 5 | $ postconf alias_maps | ||
n | 6 | n | |||
7 | alias_maps = hash:/etc/aliases | 6 | alias_maps = hash:/etc/aliases | ||
8 | 7 | ||||
9 | Query the Postfix alias maps for an alias for the root user with the following command: | 8 | Query the Postfix alias maps for an alias for the root user with the following command: | ||
10 | 9 | ||||
11 | $ postmap -q root hash:/etc/aliases | 10 | $ postmap -q root hash:/etc/aliases | ||
12 | isso | 11 | isso | ||
13 | 12 | ||||
t | 14 | If an alias is not set, this is a finding. | t | 13 | If an alias is not set, then this is a finding. |
f | 1 | Verify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. | f | 1 | Verify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is not applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is not applicable. | ||
4 | 4 | ||||
5 | Check to see if router advertisements are not accepted by default by using the following command: | 5 | Check to see if router advertisements are not accepted by default by using the following command: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.default.accept_ra | t | 7 | $ sudo sysctl net.ipv6.conf.default.accept_ra |
8 | 8 | ||||
9 | net.ipv6.conf.default.accept_ra = 0 | 9 | net.ipv6.conf.default.accept_ra = 0 | ||
10 | 10 | ||||
11 | If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | 11 | If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_ra | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_ra | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.default.accept_ra = 0 | 17 | net.ipv6.conf.default.accept_ra = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.default.accept_ra" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.default.accept_ra" is not set to "0" or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. | f | 1 | Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv6.conf.default.accept_ra = 0 | t | 5 | net.ipv6.conf.default.accept_ra=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
n | 1 | Verify the mode of /etc/audit/auditd.conf with the command: | n | 1 | To check the permissions of /etc/audit/auditd.conf , |
2 | 2 | run the command: | |||
3 | $ sudo stat -c "%a %n" /etc/audit/auditd.conf | 3 | $ sudo stat -c "%a %n" /etc/audit/auditd.conf | ||
4 | 4 | If properly configured, the output should indicate the following permissions: | |||
5 | 640 /etc/audit/auditd.conf | 5 | 640 /etc/audit/auditd.conf | ||
6 | 6 | ||||
t | 7 | If "/etc/audit/auditd.conf" does not have a mode of "0640", this is a finding. | t | 7 | If /etc/audit/auditd.conf does not have unix mode 0640, then this is a finding. |
t | 1 | Set the mode of /etc/audit/auditd.conf file to 0640 with the command: | t | 1 | To properly set the permissions of /etc/audit/auditd.conf , run the command: |
2 | |||||
3 | $ sudo chmod 0640 /etc/audit/auditd.conf | 2 | $ sudo chmod 0640 /etc/audit/auditd.conf |
n | 1 | Verify RHEL 9 uses "pwquality" to enforce the password complexity rules in the system-auth file with the following command: | n | 1 | To check if pam_pwhistory.so is enabled in system-auth, run the following command: |
2 | $ grep pam_pwquality /etc/pam.d/system-auth | ||||
3 | The output should be similar to the following: | ||||
4 | password requisite pam_pwquality.so | ||||
2 | 5 | ||||
t | 3 | $ cat /etc/pam.d/system-auth | grep pam_pwquality | t | 6 | If pam_pwquality.so is not enabled in system-auth, then this is a finding. |
4 | |||||
5 | password required pam_pwquality.so | ||||
6 | |||||
7 | If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. |
t | 1 | Verify that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: | t | 1 | Verify that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: |
2 | 2 | ||||
3 | $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* | 3 | $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* | ||
4 | 4 | ||||
5 | If any occurrences of "!authenticate" are returned, this is a finding. | 5 | If any occurrences of "!authenticate" are returned, this is a finding. |
f | 1 | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. | f | 1 | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. |
2 | 2 | ||||
t | 3 | Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-3 approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST 800-53 specifies the preferred configurations for government systems. | t | 3 | Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-3-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST 800-53 specifies the preferred configurations for government systems. |
4 | 4 | ||||
5 | Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. | 5 | Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. |
f | 1 | Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: | f | 1 | Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: |
2 | 2 | ||||
n | 3 | $ grep pam_faillock.so /etc/pam.d/system-auth | n | 3 | $ sudo grep pam_faillock.so /etc/pam.d/system-auth |
4 | 4 | ||||
5 | auth required pam_faillock.so preauth | 5 | auth required pam_faillock.so preauth | ||
6 | auth required pam_faillock.so authfail | 6 | auth required pam_faillock.so authfail | ||
7 | account required pam_faillock.so | 7 | account required pam_faillock.so | ||
8 | 8 | ||||
t | 9 | If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding. | t | 9 | If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, then this is a finding. |
n | 1 | Verify that a separate file system/partition has been created for "/var/log" with the following command: | n | 1 | Verify that a separate file system/partition has been created for /var/log with the following command: |
2 | 2 | ||||
n | 3 | $ mount | grep /var/log | n | 3 | $ mountpoint /var/log |
4 | 4 | ||||
n | 5 | UUID=c274f65f-c5b5-4486-b021-bee96feb8b21 /var/log xfs noatime,nobarrier 1 2 | n | ||
6 | 5 | ||||
t | 7 | If a separate entry for "/var/log" is not in use, this is a finding. | t | 6 | If "/var/log is is not a mountpoint" is returned, then this is a finding. |
n | 1 | Verify RHEL9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. | n | 1 | Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. |
2 | 2 | ||||
3 | Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. | 3 | Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. | ||
4 | 4 | ||||
5 | Check that the available package security updates have been installed on the system with the following command: | 5 | Check that the available package security updates have been installed on the system with the following command: | ||
6 | 6 | ||||
7 | $ dnf history list | more | 7 | $ dnf history list | more | ||
8 | 8 | ||||
9 | ID | Command line | Date and time | Action(s) | Altered | 9 | ID | Command line | Date and time | Action(s) | Altered | ||
10 | ------------------------------------------------------------------------------- | 10 | ------------------------------------------------------------------------------- | ||
11 | 70 | install aide | 2020-03-05 10:58 | Install | 1 | 11 | 70 | install aide | 2020-03-05 10:58 | Install | 1 | ||
12 | 69 | update -y | 2020-03-04 14:34 | Update | 18 EE | 12 | 69 | update -y | 2020-03-04 14:34 | Update | 18 EE | ||
13 | 68 | install vlc | 2020-02-21 17:12 | Install | 21 | 13 | 68 | install vlc | 2020-02-21 17:12 | Install | 21 | ||
14 | 67 | update -y | 2020-02-21 17:04 | Update | 7 EE | 14 | 67 | update -y | 2020-02-21 17:04 | Update | 7 EE | ||
15 | 15 | ||||
16 | Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. | 16 | Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. | ||
17 | 17 | ||||
t | 18 | If the system is in non-compliance with the organizational patching policy, this is a finding. | t | 18 | If the system is in non-compliance with the organizational patching policy, then this is a finding. |
t | 1 | Install RHEL9 security patches and updates at the organizationally-defined frequency. If system updates are installed via a centralized repository that is configured on the system, you can install all updates with the following command: | t | 1 | Install RHEL 9 security patches and updates at the organizationally-defined frequency. If system updates are installed via a centralized repository that is configured on the system, you can install all updates with the following command: |
2 | 2 | ||||
3 | $ sudo dnf update | 3 | $ sudo dnf update |
t | 1 | The RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/group file must have 0644 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/passwd" file has mode "0644" or less permissive with the following command: | n | 1 | To check the permissions of /etc/passwd , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n"/etc/passwd | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 644 | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/passwd | t | 7 | If /etc/passwd does not have unix mode 644, then this is a finding. |
4 | |||||
5 | 644 /etc/passwd | ||||
6 | |||||
7 | If a value of "0644" or less permissive is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/passwd" to "0644" by running the following command: | t | 1 | Change the permissions of the file "/etc/group" to "0644" by running the following command: |
2 | |||||
3 | $ sudo chmod 0644 /etc/passwd | 2 | $ sudo chmod 0644 /etc/group |
t | 1 | RHEL 9 must mount /boot with the nodev option. | t | 1 | RHEL 9 Must Prevent Program Execution In Accordance With Local Policies Regarding Software Program Usage And Restrictions And/Or Rules Authorizing The Terms And Conditions Of Software Program Usage. |
n | 1 | Verify that the "/boot" mount point has the "nodev" option is with the following command: | n | 1 | To verify the "nodev" option is configured for the "/boot" mount point, |
2 | 2 | ||||
n | 3 | Note: This control is not applicable to RHEL 9 system booted UEFI. | n | 3 | This control is not applicable to RHEL 9 system booted UEFI. |
4 | 4 | ||||
n | 5 | $ sudo mount | grep '\s/boot\' | n | 5 | Run the following |
6 | 6 | ||||
t | 7 | /dev/sda1 on /boot type xfs (rw,nodev,relatime,seclabel,attr2) | t | 7 | $ sudo mount | grep '\s/boot\ |
8 | |||||
9 | The output should show the corresponding mount point along with the "nodev" setting in parentheses. | ||||
10 | |||||
8 | 11 | ||||
9 | If the "/boot" file system does not have the "nodev" option set, this is a finding. | 12 | If the "/boot" file system does not have the "nodev" option set, this is a finding. |
t | 1 | Verify the SSH private host key files have a mode of "0600" or less permissive with the following command: | t | 1 | Verify the SSH private host key files have mode "0600" or less permissive with the following command: |
2 | 2 | ||||
3 | $ ls -l /etc/ssh/*_key | 3 | $ ls -l /etc/ssh/*_key | ||
4 | 4 | ||||
5 | 600 /etc/ssh/ssh_host_dsa_key | 5 | 600 /etc/ssh/ssh_host_dsa_key | ||
6 | 600 /etc/ssh/ssh_host_ecdsa_key | 6 | 600 /etc/ssh/ssh_host_ecdsa_key | ||
7 | 600 /etc/ssh/ssh_host_ed25519_key | 7 | 600 /etc/ssh/ssh_host_ed25519_key | ||
8 | 600 /etc/ssh/ssh_host_rsa_key | 8 | 600 /etc/ssh/ssh_host_rsa_key | ||
9 | 9 | ||||
10 | If any private host key file has a mode more permissive than "0600", this is a finding. | 10 | If any private host key file has a mode more permissive than "0600", this is a finding. |
t | 1 | Alan May | t | 1 | Verify that RHEL 9 usbguard package is installed with the following command: |
2 | |||||
3 | $ sudo dnf list --installed usbguard | ||||
4 | |||||
5 | usbguard.x86_64 1.0.0-10.el9 | ||||
6 | |||||
7 | If the usbguard package is not installed, this is a finding. |
n | 1 | Verify that the IPSec service uses the system crypto policy with the following command: | n | 1 | Verify that the IPSec service uses the system crypto policy. |
2 | 2 | ||||
t | 3 | Note: If the ipsec service is not installed this requirement is Not Applicable. | t | 3 | If the ipsec service is not installed is not applicable. |
4 | |||||
5 | Check to see if the "IPsec" service is active with the following command: | ||||
4 | 6 | ||||
5 | $ systemctl status ipsec | 7 | $ systemctl status ipsec | ||
6 | 8 | ||||
7 | ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec | 9 | ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec | ||
8 | Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) | 10 | Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) | ||
9 | Active: inactive (dead) | 11 | Active: inactive (dead) | ||
10 | 12 | ||||
11 | If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: | 13 | If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: | ||
12 | 14 | ||||
13 | $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf | 15 | $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf | ||
14 | 16 | ||||
15 | /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config | 17 | /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config | ||
16 | 18 | ||||
17 | If the "IPsec" service is active and the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding. | 19 | If the "IPsec" service is active and the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding. |
f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
2 | 2 | ||||
t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
4 | 4 | ||||
5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
n | 1 | Verify the group ownership of the "/etc/passwd-" file with the following command: | n | 1 | To check the group ownership of /etc/passwd- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/passwd- | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/passwd- | t | ||
4 | |||||
5 | root /etc/passwd- | ||||
6 | |||||
7 | If "/etc/passwd-" file does not have a group owner of "root", this is a finding. | 7 | If /etc/passwd- does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/passwd- to root by running the following command: | f | 1 | Change the group of the file /etc/passwd- to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/passwd- | 2 | $ sudo chgrp root /etc/passwd- |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/run/faillock. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/run/faillock. |
t | 1 | The RHEL 9 /etc/shadow- file must be owned by root. | t | 1 | The RHEL 9 /etc/shadow- file must be group-owned by root. |
n | 1 | Verify the ownership of the "/etc/shadow-" file with the following command: | n | 1 | To check the ownership of /etc/shadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/shadow- | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root /etc/shadow | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/shadow- | t | ||
4 | |||||
5 | root /etc/shadow- | ||||
6 | |||||
7 | If "/etc/shadow-" file does not have an owner of "root", this is a finding. | 7 | If /etc/shadow- does not have an owner of root, then this is a finding. |
t | 1 | Change the owner of the file /etc/shadow- to root by running the following command: | t | 1 | Change the group of the file /etc/shadow- to root by running the following command: |
2 | |||||
3 | $ sudo chown root /etc/shadow- | 2 | $ sudo chgrp root /etc/shadow- |
f | 1 | Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. | f | 1 | Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv6.conf.all.accept_ra = 0 | t | 5 | net.ipv6.conf.all.accept_ra=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
t | 1 | Verify that RHEL 9 has the rsyslogd package installed with the following command: | t | 1 | Verify that RHEL 9 has the rsyslogd package installed with the following command:$ sudo dnf list --installed rsyslogrsyslog.x86_64 8.2102.0-101.el9_0.1If the rsyslogd package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed rsyslog | ||||
4 | |||||
5 | rsyslog.x86_64 8.2102.0-101.el9_0.1 | ||||
6 | |||||
7 | If the rsyslogd package is not installed, this is a finding. |
f | 1 | Configure RHEL 9 to lock out the "root" account after a number of incorrect login | f | 1 | Configure RHEL 9 to lock out the "root" account after a number of incorrect login |
2 | attempts using "pam_faillock.so", first enable the feature using the following command: | 2 | attempts using "pam_faillock.so", first enable the feature using the following command: | ||
3 | 3 | ||||
4 | $ sudo authselect enable-feature with-faillock | 4 | $ sudo authselect enable-feature with-faillock | ||
5 | 5 | ||||
6 | Then edit the "/etc/security/faillock.conf" file as follows: | 6 | Then edit the "/etc/security/faillock.conf" file as follows: | ||
7 | 7 | ||||
8 | add or uncomment the following line: | 8 | add or uncomment the following line: | ||
9 | even_deny_root | 9 | even_deny_root | ||
t | 10 | t |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
t | 1 | Verify that RHEL 9 has the tmux package installed with the following command: | t | 1 | Verify that RHEL 9 has the tmux package installed with the following command:$ sudo dnf list --installed tmuxtmux.x86_64 3.2a-4.el9If the tmux package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed tmux | ||||
4 | |||||
5 | tmux.x86_64 3.2a-4.el9 | ||||
6 | |||||
7 | If the tmux package is not installed, this is a finding. |
n | 1 | Verify the group ownership of the "/etc/group" file with the following command: | n | 1 | To check the group ownership of /etc/group , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/group | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /etc/group | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/group | t | ||
4 | |||||
5 | root /etc/group | ||||
6 | |||||
7 | If "/etc/group" file does not have a group owner of "root", this is a finding. | 7 | If /etc/group does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/group to root by running the following command: | f | 1 | Change the group of the file /etc/group to root by running the following command: |
n | 2 | n | |||
3 | $ sudo chgrp root /etc/group | 2 | $ sudo chgrp root /etc/group | ||
t | 4 | t | |||
5 |
f | 1 | Verify the SSH daemon does not allow GSSAPI authentication with the following command: | f | 1 | Verify the SSH daemon does not allow GSSAPI authentication with the following command: |
2 | 2 | ||||
3 | $ sudo grep -ir gssapiauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* | 3 | $ sudo grep -ir gssapiauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* | ||
4 | 4 | ||||
5 | GSSAPIAuthentication no | 5 | GSSAPIAuthentication no | ||
6 | 6 | ||||
7 | If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the ISSO, this is a finding. | 7 | If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the ISSO, this is a finding. | ||
8 | 8 | ||||
9 | Fix Text: Configure the SSH daemon to not allow GSSAPI authentication. | 9 | Fix Text: Configure the SSH daemon to not allow GSSAPI authentication. | ||
10 | 10 | ||||
t | 11 | If the required value is not set, this is a finding. | t | 11 | If the required value is not set, then this is a finding. |
t | 1 | RHEL 9 must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. | t | 1 | RHEL 9 Must Terminate All Network Connections Associated With A Communications Session At The End Of The Session, Or As Follows: For In-Band Management Sessions (Privileged Sessions), The Session Must Be Terminated After 10 Minutes Of Inactivity; And For User Sessions (Non-Privileged Session), The Session Must Be Terminated After 15 Minutes Of Inactivity, Except To Fulfill Documented And Validated Mission Requirements. |
n | 1 | Verify RHEL 9 terminates all network connections associated with a communications session at the end of the session or based on inactivity with the following command: | n | 1 | Run the following command to ensure the "TMOUT" value is configured for all users |
2 | on the system: | ||||
2 | 3 | ||||
n | 3 | $ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh | n | 4 | $ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh |
4 | 5 | ||||
n | 5 | etc/profile.d/tmout.sh:declare -xr TMOUT=900 | n | 6 | The output should return the following: |
7 | TMOUT=600 | ||||
6 | 8 | ||||
t | 7 | If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding. | t | 9 | If value of TMOUT is not less than or equal to expected setting, then this is a finding. |
n | 1 | Configure RHEL 9 to terminate user sessions after 900 seconds of inactivity. | n | 1 | Configure RHEL 9 to terminate user sessions after 600 seconds of inactivity. |
2 | 2 | ||||
3 | Add or edit the following line in "/etc/profile.d/tmout.sh": | 3 | Add or edit the following line in "/etc/profile.d/tmout.sh": | ||
4 | 4 | ||||
t | 5 | TMOUT=900 | t | 5 | TMOUT=600 |
t | 1 | Verify the SSH client is configured to use only ciphers employing FIPS 140-3 approved algorithms with the following command: | t | 1 | Verify the SSH client is configured to use only ciphers employing FIPS 140-3-approved algorithms with the following command: |
2 | 2 | ||||
3 | $ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config | 3 | $ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config | ||
4 | 4 | ||||
5 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | 5 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | ||
6 | 6 | ||||
7 | If the cipher entries in the "openssh.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding. | 7 | If the cipher entries in the "openssh.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding. |
n | 1 | Configure the RHEL 9 SSH client to use only ciphers employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following line: | n | 1 | Configure the RHEL 9 SSH client to use only ciphers employing FIPS 140-3-approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following line: |
2 | 2 | ||||
t | 3 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr | t | 3 | Ciphers=aes256-ctr,aes192-ctr,aes128-ctr |
4 | 4 | ||||
5 | A reboot is required for the changes to take effect. | 5 | A reboot is required for the changes to take effect. |
f | 1 | Verify the TFTP daemon is configured to operate in secure mode. | f | 1 | Verify the TFTP daemon is configured to operate in secure mode. |
2 | 2 | ||||
3 | Check if a TFTP server is installed with the following command: | 3 | Check if a TFTP server is installed with the following command: | ||
4 | 4 | ||||
5 | $ sudo dnf list --installed tftp-server | 5 | $ sudo dnf list --installed tftp-server | ||
6 | 6 | ||||
7 | tftp-server.x86_64 5.2-35.el9.x86_64 | 7 | tftp-server.x86_64 5.2-35.el9.x86_64 | ||
8 | 8 | ||||
n | 9 | If a TFTP server is not installed, this requirement is Not Applicable. | n | 9 | If a TFTP server is not installed, this is Not Applicable. |
10 | 10 | ||||
11 | If a TFTP server is installed, check for the server arguments with the following command: | 11 | If a TFTP server is installed, check for the server arguments with the following command: | ||
12 | 12 | ||||
n | 13 | $ systemctl cat tftp | grep ExecStart | n | 13 | $ systemctl cat tftp | grep ExecStart= |
14 | ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot | 14 | ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot | ||
15 | 15 | ||||
t | t | 16 | |||
16 | If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding. | 17 | If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding. |
f | 1 | Verify RHEL 9 will not accept IPv4 ICMP redirect messages. | f | 1 | Verify RHEL 9 will not accept IPv4 ICMP redirect messages. |
2 | 2 | ||||
3 | Check the value of the default "accept_redirects" variables with the following command: | 3 | Check the value of the default "accept_redirects" variables with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.conf.default.accept_redirects | t | 5 | $ sudo sysctl net.ipv4.conf.default.accept_redirects |
6 | 6 | ||||
7 | net.ipv4.conf.default.accept_redirects = 0 | 7 | net.ipv4.conf.default.accept_redirects = 0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.default.accept_redirects | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.default.accept_redirects | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.default.accept_redirects = 0 | 15 | net.ipv4.conf.default.accept_redirects = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding. | 17 | If "net.ipv4.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding. |
t | 1 | RHEL9 must have gpgcheck enabled for all repositories. | t | 1 | RHEL 9 must have gpgcheck enabled for all repositories. |
t | t | 1 | Verify that GRUB 2 is configured to disable vsyscalls . | ||
2 | |||||
1 | Verify the current GRUB 2 configuration disables vsyscalls with the following command: | 3 | Check that the current GRUB 2 configuration disables vsyscalls with the following command: | ||
2 | 4 | ||||
3 | $ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' | 5 | $ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' | ||
4 | 6 | ||||
5 | If any output is returned, this is a finding. | 7 | If any output is returned, this is a finding. | ||
6 | 8 | ||||
7 | Check that vsyscalls are disabled by default to persist in kernel updates with the following command: | 9 | Check that vsyscalls are disabled by default to persist in kernel updates with the following command: | ||
8 | 10 | ||||
9 | $ sudo grep vsyscall /etc/default/grub | 11 | $ sudo grep vsyscall /etc/default/grub | ||
10 | 12 | ||||
11 | GRUB_CMDLINE_LINUX="vsyscall=none" | 13 | GRUB_CMDLINE_LINUX="vsyscall=none" | ||
12 | 14 | ||||
13 | If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | 15 | If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. |
n | 1 | Verify that a separate file system/partition has been created for "/var/tmp" with the following command: | n | 1 | Verify that a separate file system/partition has been created for /var/tmp with the following command: |
2 | 2 | ||||
n | 3 | $ mount | grep /var/tmp | n | 3 | $ mountpoint /var/tmp |
4 | 4 | ||||
n | 5 | UUID=c274f65f-c5b5-4379-b017-bee96feb7a34 /var/log xfs noatime,nobarrier 1 2 | n | ||
6 | 5 | ||||
t | 7 | If a separate entry for "/var/tmp" is not in use, this is a finding. | t | 6 | If "/var/tmp is is not a mountpoint" is returned, then this is a finding. |
f | 1 | Verify RHEL 9 will not accept IPv4 source-routed packets. | f | 1 | Verify RHEL 9 will not accept IPv4 source-routed packets. |
2 | 2 | ||||
3 | Check the value of the all "accept_source_route" variables with the following command: | 3 | Check the value of the all "accept_source_route" variables with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.conf.all.accept_source_route | t | 5 | $ sudo sysctl net.ipv4.conf.all.accept_source_route |
6 | 6 | ||||
7 | net.ipv4.conf.all.accept_source_route = 0 | 7 | net.ipv4.conf.all.accept_source_route = 0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.accept_source_route | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.accept_source_route | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.all.accept_source_route = 0 | 15 | net.ipv4.conf.all.accept_source_route = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding. | 17 | If "net.ipv4.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding. |
n | 1 | Verify that RHEL 9 is configured to audit the execution of the "shutdown" command with the following command: | n | 1 | Verify that an audit event is generated for any successful/unsuccessful use of the shutdown command by performing the following command to check the file system rules in "/etc/audit/audit.rules": |
2 | 2 | ||||
n | 3 | $ sudo auditctl -l | grep shutdown | n | 3 | $ sudo grep -w shutdown /etc/audit/audit.rules |
4 | 4 | ||||
5 | -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown | 5 | -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown | ||
6 | 6 | ||||
t | 7 | If the command does not return a line, or the line is commented out, this is a finding. | t | 7 | If the command does not return a line, or the line is commented out, then this is a finding. |
t | 1 | The RHEL 9 /boot/grub2/grub.cfg file must be owned by root. | t | 1 | The RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. |
n | 1 | Verify the ownership of the "/boot/grub2/grub.cfg" file with the following command: | n | 1 | To check the group ownership of /boot/grub2/grub.cfg , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /boot/grub2/grub.cfg | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /boot/grub2/grub.cfg | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /boot/grub2/grub.cfg | t | ||
4 | |||||
5 | root /boot/grub2/grub.cfg | ||||
6 | |||||
7 | If "/boot/grub2/grub.cfg" file does not have an owner of "root", this is a finding. | 7 | If /boot/grub2/grub.cfg does not have a group owner of root, then this is a finding. |
t | 1 | Change the owner of the file /boot/grub2/grub.cfg to root by running the following command: | t | 1 | Change the group of the file /boot/grub2/grub.cfg to root by running the following command: |
2 | |||||
3 | $ sudo chown root /boot/grub2/grub.cfg | 2 | $ sudo chgrp root /boot/grub2/grub.cfg |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
f | 1 | Verify RHEL 9 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. | f | 1 | Verify RHEL 9 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. |
2 | 2 | ||||
3 | Check the value of the "default send_redirects" variables with the following command: | 3 | Check the value of the "default send_redirects" variables with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.conf.default.send_redirects | t | 5 | $ sudo sysctl net.ipv4.conf.default.send_redirects |
6 | 6 | ||||
7 | net.ipv4.conf.default.send_redirects=0 | 7 | net.ipv4.conf.default.send_redirects=0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. | 9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.default.send_redirects | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.default.send_redirects | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.default.send_redirects = 0 | 15 | net.ipv4.conf.default.send_redirects = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. | 17 | If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. |
n | 1 | Verify that RHEL 9 is configured to audit the execution of the "init" command with the following command: | n | 1 | Verify that an audit event is generated for any successful/unsuccessful use of the init command by performing the following command to check the file system rules in "/etc/audit/audit.rules": |
2 | 2 | ||||
n | 3 | $ sudo auditctl -l | grep init | n | 3 | $ sudo grep -w init /etc/audit/audit.rules |
4 | 4 | ||||
5 | -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init | 5 | -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init | ||
6 | 6 | ||||
t | 7 | If the command does not return a line, or the line is commented out, this is a finding. | t | 7 | If the command does not return a line, or the line is commented out, then this is a finding. |
t | 1 | Run the following command to determine if the firewalld package is installed with the following command: | t | 1 | Run the following command to determine if the firewalld package is installed:$ sudo dnf list --installed firewalld firewalld.noarch1.0.0-4.el9If the firewall package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed firewalld | ||||
4 | |||||
5 | firewalld.noarch 1.0.0-4.el9 | ||||
6 | |||||
7 | If the firewall package is not installed, this is a finding. |
n | 1 | Verify that RHEL 9 has a minimum number of hash rounds configured with the following command: | n | 1 | Inspect "/etc/login.defs" and ensure that if eihter |
2 | "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" | ||||
3 | are set, they must have the minimum value of "5000". | ||||
2 | 4 | ||||
t | 3 | $ grep -i sha_crypt /etc/login.defs | t | 5 | If it does not, then this is a finding. |
4 | |||||
5 | If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. | ||||
6 | |||||
7 | If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding. |
n | 1 | Verify that RHEL 9 requires uses to be members of the "wheel" group with the following command: | n | 1 | Run the following command to check if the line is present: |
2 | grep pam_wheel /etc/pam.d/su | ||||
3 | The output should contain the following line: | ||||
4 | auth required pam_wheel.so use_uid | ||||
2 | 5 | ||||
t | 3 | $grep pam_wheel /etc/pam.d/su | t | 6 | If the line is not in the file or it is commented, then this is a finding. |
4 | |||||
5 | auth required pam_wheel.so use_uid | ||||
6 | |||||
7 | If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding. |
f | 1 | Configure RHEL 9 to require users to be in the "wheel" group to run "su" command. | f | 1 | Configure RHEL 9 to require users to be in the "wheel" group to run "su" command. |
2 | 2 | ||||
3 | In file "/etc/pam.d/su", uncomment the following line: | 3 | In file "/etc/pam.d/su", uncomment the following line: | ||
4 | 4 | ||||
5 | "#auth required pam_wheel.so use_uid" | 5 | "#auth required pam_wheel.so use_uid" | ||
6 | 6 | ||||
7 | $ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su | 7 | $ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su | ||
8 | 8 | ||||
9 | If necessary, create a "wheel" group and add administrative users to the group. | 9 | If necessary, create a "wheel" group and add administrative users to the group. | ||
t | 10 | t |
f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
2 | 2 | ||||
t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
4 | 4 | ||||
5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
n | 1 | Verify the group ownership of the "/etc/shadow-" file with the following command: | n | 1 | To check the group ownership of /etc/shadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/shadow- | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/shadow- | t | ||
4 | |||||
5 | root /etc/shadow- | ||||
6 | |||||
7 | If "/etc/shadow-" file does not have a group owner of "root", this is a finding. | 7 | If /etc/shadow- does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/shadow- to root by running the following command: | f | 1 | Change the group of the file /etc/shadow- to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/shadow- | 2 | $ sudo chgrp root /etc/shadow- |
f | 1 | Verify RHEL 9 disables storing core dumps with the following commands: | f | 1 | Verify RHEL 9 disables storing core dumps with the following commands: |
2 | 2 | ||||
t | 3 | $ sysctl kernel.core_pattern | t | 3 | $ sudo sysctl kernel.core_pattern |
4 | 4 | ||||
5 | kernel.core_pattern = |/bin/false | 5 | kernel.core_pattern = |/bin/false | ||
6 | 6 | ||||
7 | If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | 7 | If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | ||
8 | 8 | ||||
9 | Check that the configuration files are present to disable core dump storage. | 9 | Check that the configuration files are present to disable core dump storage. | ||
10 | 10 | ||||
11 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F kernel.core_pattern | tail -1 | 11 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F kernel.core_pattern | tail -1 | ||
12 | 12 | ||||
13 | kernel.core_pattern = |/bin/false | 13 | kernel.core_pattern = |/bin/false | ||
14 | 14 | ||||
15 | If "kernel.core_pattern" is not set to "|/bin/false" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. | 15 | If "kernel.core_pattern" is not set to "|/bin/false" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. |
t | 1 | RHEL 8 must enable Linux audit logging for the USBGuard daemon. | t | 1 | RHEL 9 Must Provide Audit Record Generation Capability For Dod-Defined Auditable Events For All Operating System Components. |
t | 1 | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. | t | 1 | Using the Linux Audit logging allows for centralized trace |
2 | 2 | of events. | |||
3 | If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. | ||||
4 | |||||
5 | Audit records can be generated from various components within the information system (e.g., module or policy filter). | ||||
6 | |||||
7 | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. | ||||
8 | |||||
9 | DoD has defined the list of events for which RHEL 9 will provide an audit record generation capability as the following: | ||||
10 | |||||
11 | 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); | ||||
12 | |||||
13 | 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; | ||||
14 | |||||
15 | 3) All account creations, modifications, disabling, and terminations; and | ||||
16 | |||||
17 | 4) All kernel module load, unload, and restart actions. |
n | 1 | To verify that Linux Audit logging is enabled for the USBGuard daemon with the following command: | n | 1 | To verify that Linux Audit logging is enabled for the USBGuard daemon, |
2 | run the following command: | ||||
3 | $ sudo grep AuditBackend | ||||
4 | The output should be | ||||
5 | AuditBackend=LinuxAudit | ||||
2 | 6 | ||||
t | 3 | $ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf | t | ||
4 | |||||
5 | AuditBackend=LinuxAudit | ||||
6 | |||||
7 | If "AuditBackend" is not set to "LinuxAudit", this is a finding. | 7 | If AuditBackend is not set to LinuxAudit, then this is a finding. |
f | 1 | Verify RHEL 9 is not performing IPv4 packet forwarding, unless the system is a router. | f | 1 | Verify RHEL 9 is not performing IPv4 packet forwarding, unless the system is a router. |
2 | 2 | ||||
3 | Check that IPv4 forwarding is disabled using the following command: | 3 | Check that IPv4 forwarding is disabled using the following command: | ||
4 | 4 | ||||
n | 5 | $ sysctl net.ipv4.conf.all.forwarding | n | 5 | $ sudo sysctl net.ipv4.ip_forward |
6 | 6 | ||||
t | 7 | net.ipv4.conf.all.forwarding = 0 | t | 7 | net.ipv4.ip_forward = 0 |
8 | 8 | ||||
9 | If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | 9 | If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.forwarding | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.forwarding | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.all.forwarding = 0 | 15 | net.ipv4.conf.all.forwarding = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. | 17 | If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. | f | 1 | Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv4.conf.all.forwarding = 0 | t | 5 | net.ipv4.conf.all.forwarding=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
t | 1 | The RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/passwd- file must have 0644 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/passwd-" file has mode "0644" or less permissive with the following command: | n | 1 | To check the permissions of /etc/passwd- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n" /etc/passwd- | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 644 /etc/passwd- | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/passwd- | t | 7 | If /etc/passwd- does not have unix mode 644, then this is a finding. |
4 | |||||
5 | 644 /etc/passwd- | ||||
6 | |||||
7 | If a value of "0644" or less permissive is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/passwd-" to "0644" by running the following command: | t | 1 | Change the permissions of the file "/etc/passwd-" to "0644" by running the following command: |
2 | |||||
3 | $ sudo chmod 0644 /etc/passwd- | 2 | $ sudo chmod 0644 /etc/passwd- |
t | 1 | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | t | 1 | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
n | 1 | Verify that the kdump service is disabled in system boot configuration with the following command: | n | 1 | To check that the kdump service is disabled in system boot configuration, |
2 | run the following command: | ||||
3 | $ sudo systemctl is-enabled kdump | ||||
4 | Output should indicate the kdump service has either not been installed, | ||||
5 | or has been disabled at all runlevels, as shown in the example below: | ||||
6 | $ sudo systemctl is-enabled kdump | ||||
7 | disabled | ||||
2 | 8 | ||||
n | 3 | $ systemctl is-enabled kdump | n | 9 | Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: |
10 | $ sudo systemctl is-active kdump | ||||
4 | 11 | ||||
n | 5 | disabled | n | 12 | If the service is not running the command will return the following output: |
13 | inactive | ||||
6 | 14 | ||||
n | 7 | Verify that the kdump service is not active (i.e. not running) through current runtime configuration with the following command: | n | 15 | The service will also be masked, to check that the kdump is masked, run the following command: |
16 | $ sudo systemctl show kdump | grep "LoadState\|UnitFileState" | ||||
8 | 17 | ||||
n | 9 | $ systemctl is-active kdump | n | 18 | If the service is masked the command will return the following outputs: |
10 | 19 | ||||
n | 11 | inactive | n | 20 | LoadState=masked |
12 | Verify that the kdump service is masked with the following command: | ||||
13 | 21 | ||||
n | 14 | $ sudo systemctl show kdump | grep "LoadState\|UnitFileState" | n | 22 | UnitFileState=masked |
15 | 23 | ||||
t | 16 | LoadState=masked | t | ||
17 | |||||
18 | UnitFileState=masked | ||||
19 | |||||
20 | If the "kdump" service is loaded or active, and is not masked, this is a finding. | 24 | If the "kdump" is loaded and not masked, then this is a finding. |
n | 1 | Disable and mask the kdump service on RHEL 9. | n | 1 | Disable the kdump RHEL 9 service. |
2 | 2 | ||||
3 | To disable the kdump service run the following command: | 3 | To disable the kdump service run the following command: | ||
4 | 4 | ||||
5 | $ sudo systemctl disable --now kdump | 5 | $ sudo systemctl disable --now kdump | ||
6 | 6 | ||||
t | 7 | To mask the kdump service run the following command: | t | ||
8 | |||||
9 | $ sudo systemctl mask --now kdump | 7 | $ sudo systemctl mask --now kdump |
f | 1 | To determine if the system is configured to audit calls to the | f | 1 | To determine if the system is configured to audit calls to the |
2 | umount2 system call, run the following command: | 2 | umount2 system call, run the following command: | ||
3 | $ sudo grep "umount2" /etc/audit/audit.* | 3 | $ sudo grep "umount2" /etc/audit/audit.* | ||
4 | If the system is configured to audit this activity, it will return a line. | 4 | If the system is configured to audit this activity, it will return a line. | ||
5 | 5 | ||||
6 | 6 | ||||
t | 7 | If no line is returned, this is a finding. | t | 7 | If no line is returned, then this is a finding. |
t | 1 | RHEL 9 must not have unauthorized interactive accounts. | t | 1 | RHEL 9 Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms. |
n | 1 | Verify that there are no unauthorized local interactive user accounts with the following command: | n | 1 | To verify that there are no unauthorized local user accounts, run the following command: |
2 | $ less /etc/passwd | ||||
3 | Inspect the results, and if unauthorized local user accounts exist, remove them by running | ||||
4 | the following command: | ||||
5 | $ sudo userdel unauthorized_user | ||||
2 | 6 | ||||
t | 3 | $ less /etc/passwd | t | ||
4 | |||||
5 | root:x:0:0:root:/root:/bin/bash | ||||
6 | ... | ||||
7 | smithk:x:1000:1000:smithk:/home/smithk:/bin/bash | ||||
8 | throckw:x:1001:1001:throckw:/home/throckw:/bin/bash | ||||
9 | |||||
10 | Interactive user account, generally will have a UID of 1000 or greater, a home directory in a specific partition, and an interactive shell. | ||||
11 | |||||
12 | Obtain the list of interactive user accounts authorized to be on the system from the System Administrator or Information System Security Officer (ISSO) and compare it to the list of local interactive user accounts on the system. | ||||
13 | |||||
14 | If there are unauthorized local user accounts on the system, this is a finding. | 7 | If there are unauthorized local user accounts on the system, then this is a finding. |
n | 1 | Remove unauthorized local interactive user accounts with the following command where <unauthorized_user> is the unauthorized account: | n | ||
2 | 1 | ||||
t | 3 | $ sudo userdel <unauthorized_user> | t |
f | 1 | Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: | f | 1 | Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: |
2 | 2 | ||||
3 | $ grep maxclassrepeat /etc/security/pwquality.conf | 3 | $ grep maxclassrepeat /etc/security/pwquality.conf | ||
4 | 4 | ||||
5 | maxclassrepeat = 4 | 5 | maxclassrepeat = 4 | ||
6 | 6 | ||||
t | 7 | If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. | t | 7 | If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, then this is a finding. |
t | 1 | Verify that RHEL 9 contains no duplicate User IDs (UIDs) for interactive users with the following command: | t | 1 | Verify that RHEL 9 contains no duplicate User IDs (UIDs) for interactive users. |
2 | |||||
3 | Check that the operating system contains no duplicate UIDs for interactive users with the following command: | ||||
2 | 4 | ||||
3 | $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd | 5 | $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd | ||
4 | 6 | ||||
5 | If output is produced and the accounts listed are interactive user accounts, this is a finding. | 7 | If output is produced and the accounts listed are interactive user accounts, this is a finding. |
f | 1 | Verify that RHEL 9 has the rng-tools package installed with the following command: | f | 1 | Verify that RHEL 9 has the rng-tools package installed with the following command: |
2 | 2 | ||||
t | 3 | $ sudo dnf list --installed rng-tools | t | 3 | $ dnf list --installed rng-tools |
4 | 4 | ||||
5 | rng-tools.x86_64 6.14-2.git.b2b7934e.el9 | 5 | rng-tools.x86_64 6.14-2.git.b2b7934e.el9 | ||
6 | 6 | ||||
7 | If a rng-tools package is not installed, this is a finding. | 7 | If a rng-tools package is not installed, this is a finding. |
n | 1 | Verify the operating system is not configured to bypass password requirements for privilege escalation with the following command: | n | 1 | Verify the operating system is not configured to bypass password requirements for privilege |
2 | escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: | ||||
3 | $ sudo grep pam_succeed_if /etc/pam.d/sudo | ||||
2 | 4 | ||||
t | 3 | $ sudo grep pam_succeed_if /etc/pam.d/sudo | t | 5 | If system is configured to bypass password requirements for privilege escalation, then this is a finding. |
4 | |||||
5 | If any occurances of "pam_succeed_if" are returned, this is a finding. |
f | 1 | Configure the operating system to require users to supply a password for privilege escalation. | f | 1 | Configure the operating system to require users to supply a password for privilege escalation. |
2 | 2 | ||||
t | t | 3 | Check the configuration of the "/etc/pam.d/sudo" file with the following command: | ||
4 | $ sudo vi /etc/pam.d/sudo | ||||
5 | |||||
3 | Remove any occurrences of " pam_succeed_if " in the "/etc/pam.d/sudo" file. | 6 | Remove any occurrences of " pam_succeed_if " in the file. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
f | 1 | Verify RHEL 9 is configured to disable kernel image loading. | f | 1 | Verify RHEL 9 is configured to disable kernel image loading. |
2 | 2 | ||||
3 | Check the status of the kernel.kexec_load_disabled kernel parameter with the following command: | 3 | Check the status of the kernel.kexec_load_disabled kernel parameter with the following command: | ||
4 | 4 | ||||
n | 5 | $ sysctl kernel.kexec_load_disabled | n | 5 | $ sudo sysctl kernel.kexec_load_disabled |
6 | 6 | ||||
7 | kernel.kexec_load_disabled = 1 | 7 | kernel.kexec_load_disabled = 1 | ||
8 | 8 | ||||
9 | If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. | 9 | If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this kernel parameter with the following command: | 11 | Check that the configuration files are present to enable this kernel parameter with the following command: | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F kernel.kexec_load_disabled | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F kernel.kexec_load_disabled | tail -1 | ||
14 | 14 | ||||
15 | kernel.kexec_load_disabled = 1 | 15 | kernel.kexec_load_disabled = 1 | ||
16 | 16 | ||||
t | 17 | If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. | t | 17 | If "kernel.kexec_load_disablede" is not set to "1" or is missing, this is a finding. |
f | 1 | If emergency user accounts remain active when no longer needed or for | f | 1 | If emergency user accounts remain active when no longer needed or for |
2 | an excessive period, these accounts may be used to gain unauthorized access. | 2 | an excessive period, these accounts may be used to gain unauthorized access. | ||
3 | To mitigate this risk, automated termination of all emergency accounts | 3 | To mitigate this risk, automated termination of all emergency accounts | ||
4 | must be set upon account creation. | 4 | must be set upon account creation. | ||
t | 5 | t | |||
6 |
t | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by commenting or removing the 'CRYPTO_POLICY=' line in /etc/sysconfig/sshd: | t | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by commenting or removing the 'CRYPTO_POLICY=' line in /etc/sysconfig/sshd: |
2 | 2 | ||||
3 | # CRYPTO_POLICY= | 3 | # CRYPTO_POLICY= | ||
4 | 4 | ||||
5 | A reboot is required for the changes to take effect. | 5 | A reboot is required for the changes to take effect. |
t | 1 | The RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/shadow file must have 0000 to prevent unauthorized access. |
n | 1 | Verify that the "/etc/shadow" file has mode "0000" with the following command: | n | 1 | To check the permissions of /etc/shadow , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n" /etc/shadow | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 000 | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/shadow | t | 7 | If /etc/shadow does not have unix mode 000, then this is a finding. |
4 | |||||
5 | 0 /etc/shadow | ||||
6 | |||||
7 | If a value of "0" is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/shadow" to "0000" by running the following command: | t | 1 | Change the permissions of the file "/etc/shadow" to "0000" by running the following command: |
2 | |||||
3 | $ sudo chmod 0000 /etc/shadow | 2 | $ sudo chmod 0000 /etc/shadow |
n | 1 | Verify the group ownership of the "/etc/passwd" file with the following command: | n | 1 | To check the group ownership of /etc/passwd , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/passwd | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /etc/passwd | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/passwd | t | ||
4 | |||||
5 | root /etc/passwd | ||||
6 | |||||
7 | If "/etc/passwd" file does not have a group owner of "root", this is a finding. | 7 | If /etc/passwd does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/passwd to root by running the following command: | f | 1 | Change the group of the file /etc/passwd to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/passwd | 2 | $ sudo chgrp root /etc/passwd |
n | 1 | Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot with the following command: | n | 1 | Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: |
2 | 2 | ||||
n | 3 | $ grep 'dir =' /etc/security/faillock.conf | n | 3 | $ sudo grep 'dir =' /etc/security/faillock.conf |
4 | 4 | ||||
5 | dir = /var/log/faillock | 5 | dir = /var/log/faillock | ||
6 | 6 | ||||
t | 7 | If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding. | t | 7 | If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, then this is a finding. |
t | 1 | The RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/gshadow file must have 0000 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/gshadow" file has mode "0000" with the following command: | n | 1 | To check the permissions of /etc/gshadow , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n" /etc/gshadow | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | ---------- | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/gshadow | t | 7 | If /etc/gshadow does not have unix mode 000, then this is a finding. |
4 | |||||
5 | 0 /etc/gshadow | ||||
6 | |||||
7 | If a value of "0" is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/gshadow" to "0000" by running the following command: | t | 1 | Change the permissions of the file "/etc/gshadow" to "0000" by running the following command: |
2 | |||||
3 | $ sudo chmod 0000 /etc/gshadow | 2 | $ sudo chmod 0000 /etc/gshadow |
n | 1 | Verify RHEL 9 uses "pwquality" to enforce the password complexity rules in the password-auth file with the following command: | n | 1 | To check if pam_pwhistory.so is enabled in password-auth, run the following command: |
2 | $ grep pam_pwquality /etc/pam.d/password-auth | ||||
3 | The output should be similar to the following: | ||||
4 | password requisite pam_pwquality.so | ||||
2 | 5 | ||||
t | 3 | $ cat /etc/pam.d/password-auth | grep pam_pwquality | t | 6 | If pam_pwquality.so is not enabled in password-auth, then this is a finding. |
4 | |||||
5 | password required pam_pwquality.so | ||||
6 | |||||
7 | If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding. |
n | 1 | Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur with the following command: | n | 1 | Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: |
2 | 2 | ||||
n | 3 | $ grep audit /etc/security/faillock.conf | n | 3 | $ sudo grep audit /etc/security/faillock.conf |
4 | 4 | ||||
5 | audit | 5 | audit | ||
6 | 6 | ||||
t | 7 | If the "audit" option is not set, is missing, or is commented out, this is a finding. | t | 7 | If the "audit" option is not set, is missing or commented out, then this is a finding. |
f | 1 | Verify RHEL 9 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands: | f | 1 | Verify RHEL 9 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands: |
2 | 2 | ||||
3 | First check if the GRUB recovery is enabled: | 3 | First check if the GRUB recovery is enabled: | ||
4 | 4 | ||||
5 | $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub | 5 | $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub | ||
6 | 6 | ||||
7 | GRUB_DISABLE_RECOVERY="true" | 7 | GRUB_DISABLE_RECOVERY="true" | ||
8 | 8 | ||||
9 | If this option is set to true, then check that a line is output by the following command: | 9 | If this option is set to true, then check that a line is output by the following command: | ||
10 | 10 | ||||
11 | $ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub | 11 | $ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub | ||
12 | 12 | ||||
13 | If the option is set to false, then check that a line is output by the following command: | 13 | If the option is set to false, then check that a line is output by the following command: | ||
14 | 14 | ||||
15 | $ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub | 15 | $ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub | ||
16 | 16 | ||||
17 | If 'audit_backlog_limit' is not set to '8192' or greater, or the option is missing, this is a finding. | 17 | If 'audit_backlog_limit' is not set to '8192' or greater, or the option is missing, this is a finding. | ||
18 | 18 | ||||
19 | Additionally command line parameters for currently installed kernels must be checked as well with the following command: | 19 | Additionally command line parameters for currently installed kernels must be checked as well with the following command: | ||
20 | 20 | ||||
21 | $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' | 21 | $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' | ||
22 | 22 | ||||
t | 23 | If the command return any outputs and audit_backlog_limit is less than "8192", this is a finding. | t | 23 | If the command return any outputs and audit_backlog_limit is less than 8182, this is a finding. |
t | 1 | The RHEL 9 chronyd service must be enabled. | t | 1 | The RHEL 9 service chronyd must be enabled. |
t | 1 | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | t | 1 | If chrony is in use on the system proper configuration is vital to ensuring time |
2 | 2 | synchronization is working properly. | |||
3 | Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
n | 1 | Verify the chronyd service is active with the following command: | n | 1 | Run the following command to determine the current status of the |
2 | chronyd service: | ||||
3 | $ sudo systemctl is-active chronyd | ||||
4 | If the service is running, it should return the following: active | ||||
2 | 5 | ||||
t | 3 | $ systemctl is-active chronyd | t | ||
4 | |||||
5 | active | ||||
6 | |||||
7 | If the chronyd service is not active, this is a finding. | 6 | If the chronyd process is not running, then this is a finding. |
n | 1 | Verify the boot loader superuser password has been set, run the following | n | 1 | To verify the boot loader superuser password has been set, run the following |
2 | command: | 2 | command: | ||
3 | 3 | ||||
n | 4 | $sudo grep "superusers" /etc/grub2.cfg | n | 4 | sudo grep "superusers" /etc/grub2.cfg |
5 | 5 | ||||
n | n | 6 | The output should show the following: | ||
6 | password_pbkdf2 superusers-account ${GRUB2_PASSWORD} | 7 | password_pbkdf2 superusers-account ${GRUB2_PASSWORD} | ||
7 | |||||
8 | To verify the boot loader superuser account password has been set, | 8 | To verify the boot loader superuser account password has been set, | ||
9 | and the password encrypted, run the following command: | 9 | and the password encrypted, run the following command: | ||
10 | 10 | ||||
n | 11 | $ sudo cat /boot/grub2/user.cfg | n | 11 | sudo cat /boot/grub2/user.cfg |
12 | 12 | The output should be similar to: | |||
13 | GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC | 13 | GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC | ||
14 | 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 | 14 | 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 | ||
15 | 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 | 15 | 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 | ||
16 | 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 | 16 | 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 | ||
17 | 17 | ||||
t | 18 | If a "GRUB2_PASSWORD" is not set, this is a finding. | t | 18 | If it does not, this is a finding. |
n | 1 | Configure RHEL 9 to require a grub bootloader password for the grub superuser account. | n | 1 | Configure RHEL 9 to require a grub bootloader password for the grub superuser account. |
2 | 2 | ||||
n | 3 | Generate an encrypted grub2 password for the grub superuser account with the following command: | n | 3 | Generate an encrypted grub2 password for the grub superuser account with the following command: |
4 | 4 | ||||
5 | $ sudo grub2-setpassword | 5 | $ sudo grub2-setpassword | ||
6 | Enter password: | 6 | Enter password: | ||
7 | Confirm password: | 7 | Confirm password: | ||
8 | 8 | ||||
n | n | 9 | Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: | ||
9 | 10 | ||||
t | t | 11 | set superusers="[someuniquestringhere]" | ||
12 | export superusers |
t | 1 | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat syscalls. | t | 1 | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat syscalls. |
t | 1 | RHEL 9 must be configured to disable the Controller Area Network kernel module. | t | 1 | RHEL 9 Must Be Configured To Disable Non-Essential Capabilities. |
t | 1 | Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation. | t | 1 | Disabling Controller Area Network (CAN) protects the system against exploitation of any |
2 | flaws in its implementation. |
n | 1 | Verify that RHEL 9 disables the ability to load the CAN kernel module with the following command: | n | ||
2 | 1 | ||||
n | n | 2 | If the system is configured to prevent the loading of the can kernel module, | ||
3 | it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf . | ||||
4 | These lines instruct the module loading system to run another program (such as /bin/true ) upon a module install event. | ||||
5 | Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf : | ||||
3 | $ sudo grep -r can /etc/modprobe.conf /etc/modprobe.d/* | 6 | $ grep -r can /etc/modprobe.conf /etc/modprobe.d | ||
4 | 7 | ||||
t | 5 | blacklist can | t | 8 | If no line is returned, then this is a finding. |
6 | |||||
7 | If the command does not return any output, or the line is commented out, and use of CAN is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. |
n | 1 | Verify that the symlink exists and targets the correct Kerberos crypto policy, with the following command: | n | 1 | Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: |
2 | |||||
3 | file /etc/crypto-policies/back-ends/krb5.config | 2 | file /etc/crypto-policies/back-ends/krb5.config | ||
4 | 3 | ||||
5 | If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. | 4 | If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. | ||
6 | /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt | 5 | /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt | ||
7 | 6 | ||||
t | 8 | If the symlink does not exist or points to a different target, this is a finding. | t | 7 | If the symlink does not exist or points to a different target, then this is a finding. |
f | 1 | Verify RHEL 9 logs SSH connection attempts and failures to the server. | f | 1 | Verify RHEL 9 logs SSH connection attempts and failures to the server. |
2 | 2 | ||||
3 | Check what the SSH daemon's "LogLevel" option is set to with the following command: | 3 | Check what the SSH daemon's "LogLevel" option is set to with the following command: | ||
4 | 4 | ||||
5 | $ sudo grep -i LogLevel /etc/ssh/sshd_config | 5 | $ sudo grep -i LogLevel /etc/ssh/sshd_config | ||
6 | 6 | ||||
t | 7 | LogLevel VERBOSE | t | ||
8 | |||||
9 | If a value of "VERBOSE" is not returned, the line is commented out, or is missing, this is a finding. | 7 | If a value of "VERBOSE" is not returned, the line is commented out, or is missing, this is a finding. |
f | 1 | Verify that RHEL 9 file system automounter has been disabled with the following command: | f | 1 | Verify that RHEL 9 file system automounter has been disabled with the following command: |
2 | 2 | ||||
3 | $ sudo systemctl is-enabled autofs | 3 | $ sudo systemctl is-enabled autofs | ||
4 | 4 | ||||
5 | masked | 5 | masked | ||
6 | 6 | ||||
t | 7 | If the returned value is not "masked", "disabled", "Failed to get unit file state for autofs.service for autofs", or "enabled" is returned and is not documented as operational requirement with the Information System Security Officer ISSO, this is a finding. | t | 7 | If the returned value is not "masked", "disabled", "Failed to get unit file state for autofs.service for autofs", or "enabled" is returned and is not documented as operational requirement with the Information System Security Officer ISSO. |
t | 1 | The RHEL 9 /etc/gshadow- file must be owned by root. | t | 1 | The RHEL 9 /etc/gshadow- file must be group-owned by root. |
n | 1 | Verify the ownership of the "/etc/gshadow-" file with the following command: | n | 1 | To check the ownership of /etc/gshadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/gshadow- | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/gshadow- | t | ||
4 | |||||
5 | root /etc/gshadow- | ||||
6 | |||||
7 | If "/etc/gshadow-" file does not have an owner of "root", this is a finding. | 7 | If /etc/gshadow- does not have an owner of root, then this is a finding. |
t | 1 | Change the owner of the file /etc/gshadow- to root by running the following command: | t | 1 | Change the group of the file /etc/gshadow- to root by running the following command: |
2 | |||||
3 | $ sudo chown root /etc/gshadow- | 2 | $ sudo chgrp root /etc/gshadow- |
t | 1 | Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. | t | 1 | Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. |
2 | 2 | ||||
3 | Check which services are currently active with the following command: | 3 | Check which services are currently active with the following command: | ||
4 | 4 | ||||
5 | $ sudo firewall-cmd --list-all-zones | 5 | $ sudo firewall-cmd --list-all-zones | ||
6 | 6 | ||||
7 | custom (active) | 7 | custom (active) | ||
8 | target: DROP | 8 | target: DROP | ||
9 | icmp-block-inversion: no | 9 | icmp-block-inversion: no | ||
10 | interfaces: ens33 | 10 | interfaces: ens33 | ||
11 | sources: | 11 | sources: | ||
12 | services: dhcpv6-client dns http https ldaps rpc-bind ssh | 12 | services: dhcpv6-client dns http https ldaps rpc-bind ssh | ||
13 | ports: | 13 | ports: | ||
14 | masquerade: no | 14 | masquerade: no | ||
15 | forward-ports: | 15 | forward-ports: | ||
16 | icmp-blocks: | 16 | icmp-blocks: | ||
17 | rich rules: | 17 | rich rules: | ||
18 | 18 | ||||
19 | Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. | 19 | Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. | ||
20 | 20 | ||||
21 | If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding. | 21 | If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding. |
t | 1 | Verify that RHEL 9 contains no duplicate Group IDs (GID) for interactive users with the following command: | t | 1 | Verify that RHEL 9 contains no duplicate Group IDs (GID) for interactive users. |
2 | |||||
3 | Check that the operating system contains no duplicate group names for interactive users by running the following command: | ||||
2 | 4 | ||||
3 | $ cut -d : -f 3 /etc/group | uniq -d | 5 | $ cut -d : -f 3 /etc/group | uniq -d | ||
4 | 6 | ||||
5 | If the system has duplicate group ids, this is a finding. | 7 | If the system has duplicate group ids, this is a finding. |
n | 1 | Verify the boot loader superuser account has been set with the following command: | n | 1 | To verify the boot loader superuser account has been set, run the following |
2 | 2 | command: | |||
3 | $ sudo grep -A1 "superusers" /etc/grub2.cfg | 3 | sudo grep -A1 "superusers" /etc/grub2.cfg | ||
4 | 4 | The output should show the following: | |||
5 | set superusers="<superusers-account>" | 5 | set superusers=" superusers-account " | ||
6 | export superusers | 6 | export superusers | ||
n | 7 | n | |||
8 | The <superusers-account> is the actual account name different from common names like root, | 7 | where superusers-account is the actual account name different from common names like root, | ||
9 | admin, or administrator. | 8 | admin, or administrator. | ||
10 | 9 | ||||
t | 11 | If superusers contains easily guessable usernames, this is a finding. | t | 10 | If superusers contains easily guessable username, this is a finding. |
f | 1 | Verify RHEL 9 will not accept IPv6 ICMP redirect messages. | f | 1 | Verify RHEL 9 will not accept IPv6 ICMP redirect messages. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | ||
4 | 4 | ||||
5 | Check the value of the default "accept_redirects" variables with the following command: | 5 | Check the value of the default "accept_redirects" variables with the following command: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.default.accept_redirects | t | 7 | $ sudo sysctl net.ipv6.conf.default.accept_redirects |
8 | 8 | ||||
9 | net.ipv6.conf.default.accept_redirects = 0 | 9 | net.ipv6.conf.default.accept_redirects = 0 | ||
10 | 10 | ||||
11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_redirects | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.default.accept_redirects | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.default.accept_redirects = 0 | 17 | net.ipv6.conf.default.accept_redirects = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding. |
f | 1 | Verify that RHEL 9 fapolicyd is active with the following command: | f | 1 | Verify that RHEL 9 fapolicyd is active with the following command: |
2 | 2 | ||||
3 | $ systemctl is-active fapolicyd | 3 | $ systemctl is-active fapolicyd | ||
4 | 4 | ||||
5 | active | 5 | active | ||
6 | 6 | ||||
t | 7 | If fapolicyd module is not active, this is a finding. | t | 7 | If fapolicyd is not active, this is a finding. |
f | 1 | Verify RHEL 9 ignores IPv6 ICMP redirect messages. | f | 1 | Verify RHEL 9 ignores IPv6 ICMP redirect messages. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | ||
4 | 4 | ||||
5 | Check the value of the "accept_redirects" variables with the following command: | 5 | Check the value of the "accept_redirects" variables with the following command: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.all.accept_redirects | t | 7 | $ sudo sysctl net.ipv6.conf.all.accept_redirects |
8 | 8 | ||||
9 | net.ipv6.conf.all.accept_redirects = 0 | 9 | net.ipv6.conf.all.accept_redirects = 0 | ||
10 | 10 | ||||
11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 11 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.accept_redirects | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.accept_redirects | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.all.accept_redirects = 0 | 17 | net.ipv6.conf.all.accept_redirects = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. |
t | 1 | Verify that RHEL 9 has the opensc package installed with the following command: | t | 1 | Verify that RHEL 9 has the opensc package installed with the following command:$ sudo dnf list --installed openscopensc.x86_64 0.22.0-2.el9If the opensc package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed opensc | ||||
4 | |||||
5 | opensc.x86_64 0.22.0-2.el9 | ||||
6 | |||||
7 | If the opensc package is not installed, this is a finding. |
t | 1 | The opensc package can be installed with the following command: | t | 1 | The opensc package can be installed with the following command: |
2 | 2 | ||||
3 | $ sudo dnf install opensc | 3 | $ sudo dnf install opensc |
t | 1 | The RHEL 9 /etc/passwd- file must be owned by root. | t | 1 | The RHEL 9 /etc/passwd- file must be group-owned by root. |
n | 1 | Verify the ownership of the "/etc/passwd-" file with the following command: | n | 1 | To check the ownership of /etc/passwd- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/passwd- | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/passwd- | t | ||
4 | |||||
5 | root /etc/passwd- | ||||
6 | |||||
7 | If "/etc/passwd-" file does not have an owner of "root", this is a finding. | 7 | If /etc/passwd- does not have an owner of root, then this is a finding. |
t | 1 | Change the owner of the file /etc/passwd- to root by running the following command: | t | 1 | Change the group of the file /etc/passwd- to root by running the following command: |
2 | |||||
3 | $ sudo chown root /etc/passwd- | 2 | $ sudo chgrp root /etc/passwd- |
f | 1 | Verify RHEL 9 uses reverse path filtering on all IPv4 interfaces with the following commands: | f | 1 | Verify RHEL 9 uses reverse path filtering on all IPv4 interfaces with the following commands: |
2 | 2 | ||||
t | 3 | $ sysctl net.ipv4.conf.all.rp_filter | t | 3 | $ sudo sysctl net.ipv4.conf.all.rp_filter |
4 | 4 | ||||
5 | net.ipv4.conf.all.rp_filter = 1 | 5 | net.ipv4.conf.all.rp_filter = 1 | ||
6 | 6 | ||||
7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. | 7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. | ||
8 | 8 | ||||
9 | Check that the configuration files are present to enable this network parameter. | 9 | Check that the configuration files are present to enable this network parameter. | ||
10 | 10 | ||||
11 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.rp_filter | tail -1 | 11 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.rp_filter | tail -1 | ||
12 | 12 | ||||
13 | net.ipv4.conf.all.rp_filter = 1 | 13 | net.ipv4.conf.all.rp_filter = 1 | ||
14 | 14 | ||||
15 | If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding. | 15 | If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding. |
n | 1 | Verify the permissions of the cron directories with the following command: | n | 1 | To check the permissions of the cron directories, |
2 | 2 | run the command: | |||
3 | $ find /etc/cron* -type d | xargs stat -c "%a %n" | 3 | $ find /etc/cron* -type d | xargs stat -c "%a %n" | ||
4 | If properly configured, the output should indicate the following permissions: | ||||
4 | 5 | ||||
5 | 700 /etc/cron.d | 6 | 700 /etc/cron.d | ||
6 | 700 /etc/cron.daily | 7 | 700 /etc/cron.daily | ||
7 | 700 /etc/cron.hourly | 8 | 700 /etc/cron.hourly | ||
8 | 700 /etc/cron.monthly | 9 | 700 /etc/cron.monthly | ||
9 | 700 /etc/cron.weekly | 10 | 700 /etc/cron.weekly | ||
10 | 11 | ||||
t | t | 12 | |||
11 | If any cron configuration directory is more permissive than 700, this is a finding. | 13 | If any cron configuration directory is more permissive than 700, then this is a finding. |
f | 1 | Verify the assigned home directories of all interactive users on the system exist with the following command: | f | 1 | Verify the assigned home directories of all interactive users on the system exist with the following command: |
2 | 2 | ||||
3 | $ sudo pwck -r | 3 | $ sudo pwck -r | ||
4 | 4 | ||||
5 | user 'mailnull': directory 'var/spool/mqueue' does not exist | 5 | user 'mailnull': directory 'var/spool/mqueue' does not exist | ||
6 | 6 | ||||
7 | The output should not return any interactive users. | 7 | The output should not return any interactive users. | ||
8 | 8 | ||||
t | 9 | If users home directory does not exist, this is a finding. | t | 9 | If users home directory does not exist, then this is a finding. |
f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
2 | 2 | ||||
t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
4 | 4 | ||||
5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
t | 1 | The RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/gshadow- file must have 0000 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/gshadow-" file has mode "0000" with the following command: | n | 1 | To check the permissions of /etc/gshadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n" /etc/gshadow- | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 000 /etc/gshadow- | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/gshadow- | t | 7 | If /etc/gshadow- does not have unix mode 000, then this is a finding. |
4 | |||||
5 | 0 /etc/gshadow- | ||||
6 | |||||
7 | If a value of "0" is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/gshadow-" to "0000" by running the following command: | t | 1 | Change the permissions of the file "/etc/gshadow-" to "0000" by running the following command: |
2 | |||||
3 | $ sudo chmod 0000 /etc/gshadow- | 2 | $ sudo chmod 0000 /etc/gshadow- |
n | 1 | Verify that RHEL 9 generates an audit record for all uses of the "umount" and system call with the following command: | n | 1 | Verify that RHEL 9 generates an audit record for all uses of the "umount" and system call. |
2 | To determine if the system is configured to audit calls to the | ||||
3 | "umount" system call, run the following command: | ||||
2 | $ sudo grep "umount" /etc/audit/audit.* | 4 | $ sudo grep "umount" /etc/audit/audit.* | ||
3 | If the system is configured to audit this activity, it will return a line like the following. | 5 | If the system is configured to audit this activity, it will return a line like the following. | ||
4 | -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount | 6 | -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount | ||
5 | 7 | ||||
t | 6 | If the command does not return a line, or the line is commented out, this is a finding. | t | 8 | If the command does not return a line, or the line is commented out, then this is a finding. |
f | 1 | Verify RHEL 9 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: | f | 1 | Verify RHEL 9 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: |
2 | 2 | ||||
t | 3 | $ sysctl kernel.unprivileged_bpf_disabled | t | 3 | $ sudo sysctl kernel.unprivileged_bpf_disabled |
4 | 4 | ||||
5 | kernel.unprivileged_bpf_disabled = 1 | 5 | kernel.unprivileged_bpf_disabled = 1 | ||
6 | 6 | ||||
7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. | 7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. |
f | 1 | Verify that the version or RHEL 9 is vendor supported with the following command: | f | 1 | Verify that the version or RHEL 9 is vendor supported with the following command: |
2 | 2 | ||||
t | 3 | $ cat/etc/redhat-release | t | 3 | $ grep -i "red hat" /etc/redhat-release |
4 | |||||
4 | 5 | ||||
5 | Red Hat Enterprise Linux release 9.0 (Plow) | 6 | Red Hat Enterprise Linux release 9.0 (Plow) | ||
6 | 7 | ||||
7 | If the installed version of RHEL 9 is not supported, this is a finding. | 8 | If the installed version of RHEL 9 is not supported, this is a finding. |
n | 1 | Verify that RHEL 9 is configured to audit the execution of the "poweroff" command with the following command: | n | 1 | Verify that an audit event is generated for any successful/unsuccessful use of the poweroff command by performing the following command to check the file system rules in "/etc/audit/audit.rules": |
2 | 2 | ||||
n | 3 | $ sudo auditctl -l | grep poweroff | n | 3 | $ sudo grep -w poweroff /etc/audit/audit.rules |
4 | 4 | ||||
5 | -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff | 5 | -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff | ||
6 | 6 | ||||
t | 7 | If the command does not return a line, or the line is commented out, this is a finding. | t | 7 | If the command does not return a line, or the line is commented out, then this is a finding. |
n | 1 | Verify that RHEL 9 library directories have a mode of 755 or less with the following commands: | n | 1 | Shared libraries are stored in the following directories: |
2 | /lib | ||||
3 | /lib64 | ||||
4 | /usr/lib | ||||
5 | /usr/lib64 | ||||
2 | 6 | ||||
n | n | 7 | To find shared libraries that are group-writable or world-writable, | ||
8 | run the following command for each directory DIR which contains shared libraries: | ||||
3 | $ sudo find -L /lib -perm /022 -type d | 9 | $ sudo find -L DIR -perm /022 -type d | ||
4 | $ sudo find -L /lib64 -perm /022 -type d | ||||
5 | $ sudo find -L /usr/lib -perm /022 -type d | ||||
6 | $ sudo find -L /usr/lib64 -perm /022 -type d | ||||
7 | 10 | ||||
t | 8 | If any of these directories are group-writable or world-writable, this is a finding | t | 11 | If any of these files are group-writable or world-writable, then this is a finding. |
n | 1 | Verify that a separate file system/partition has been created for "/var" with the following command: | n | 1 | Verify that a separate file system/partition has been created for /var with the following command: |
2 | 2 | ||||
n | 3 | $ mount | grep /var | n | 3 | $ mountpoint /var |
4 | 4 | ||||
n | 5 | UUID=c274f65f-c5b5-4481-b007-bee96feb8b05 /var xfs noatime,nobarrier 1 2 | n | ||
6 | 5 | ||||
t | 7 | If a separate entry for "/var" is not in use, this is a finding. | t | 6 | If "/var is is not a mountpoint" is returned, then this is a finding. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. |
f | 1 | Verify the ownership of the "/etc/ssh/sshd_config" file with the following command: | f | 1 | Verify the ownership of the "/etc/ssh/sshd_config" file with the following command: |
2 | 2 | ||||
3 | $ ls -al /etc/ssh/sshd_config | 3 | $ ls -al /etc/ssh/sshd_config | ||
4 | 4 | ||||
5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | 5 | rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config | ||
6 | 6 | ||||
t | 7 | If the "/etc/ssh/sshd_config" file does not have an owner of "root", this is a finding. | t | 7 | If the "/etc/ssh/sshd_config" file does not have an owner of "root", then this is a finding. |
n | 1 | Verify the ownership of the "/etc/passwd" file with the following command: | n | 1 | To check the ownership of /etc/passwd , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/passwd | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root /etc/passwd | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/passwd | t | ||
4 | |||||
5 | root /etc/passwd | ||||
6 | |||||
7 | If "/etc/passwd" file does not have an owner of "root", this is a finding. | 7 | If /etc/passwd does not have an owner of root, then this is a finding. |
n | 1 | Verify the group ownership of the "/etc/shadow" file with the following command: | n | 1 | To check the group ownership of /etc/shadow , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/shadow | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /etc/shadow | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/shadow | t | ||
4 | |||||
5 | root /etc/shadow | ||||
6 | |||||
7 | If "/etc/shadow" file does not have a group owner of "root", this is a finding. | 7 | If /etc/shadow does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/shadow to root by running the following command: | f | 1 | Change the group of the file /etc/shadow to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/shadow | 2 | $ sudo chgrp root /etc/shadow |
t | 1 | Alan May | t | 1 | If temporary user accounts remain active when no longer needed or for |
2 | an excessive period, these accounts may be used to gain unauthorized access. | ||||
3 | To mitigate this risk, automated termination of all temporary accounts | ||||
4 | must be set upon account creation. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
f | 1 | Verify RHEL 9 does not IPv4 ICMP redirect messages. | f | 1 | Verify RHEL 9 does not IPv4 ICMP redirect messages. |
2 | 2 | ||||
3 | Check the value of the "all send_redirects" variables with the following command: | 3 | Check the value of the "all send_redirects" variables with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.conf.all.send_redirects | t | 5 | $ sudo sysctl net.ipv4.conf.all.send_redirects |
6 | 6 | ||||
7 | net.ipv4.conf.all.send_redirects = 0 | 7 | net.ipv4.conf.all.send_redirects = 0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. | 9 | If the returned line does not have a value of "0", or a line is not returned, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.send_redirects | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.send_redirects | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.all.send_redirects = 0 | 15 | net.ipv4.conf.all.send_redirects = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. | 17 | If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. | f | 1 | Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv4.conf.all.send_redirects = 0 | t | 5 | net.ipv4.conf.all.send_redirects=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
f | 1 | Verify RHEL 9 does not respond to ICMP echoes sent to a broadcast address. | f | 1 | Verify RHEL 9 does not respond to ICMP echoes sent to a broadcast address. |
2 | 2 | ||||
3 | Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: | 3 | Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.icmp_echo_ignore_broadcasts | t | 5 | $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts |
6 | 6 | ||||
7 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | 7 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. | 9 | If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.icmp_echo_ignore_broadcasts | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.icmp_echo_ignore_broadcasts | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | 15 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
16 | 16 | ||||
17 | If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1" or is missing, this is a finding. | 17 | If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1" or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address. | f | 1 | Configure RHEL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | t | 5 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
t | 1 | Alan May | t | 1 | Passwords need to be protected at all times, and encryption is the standard |
2 | method for protecting passwords. If passwords are not encrypted, they can | ||||
3 | be plainly read (i.e., clear text) and easily compromised. Passwords that | ||||
4 | are encrypted with a weak algorithm are no more protected than if they are | ||||
5 | kepy in plain text. | ||||
6 | |||||
7 | |||||
8 | |||||
9 | This setting ensures user and group account administration utilities are | ||||
10 | configured to store only encrypted representations of passwords. | ||||
11 | Additionally, the "crypt_style" configuration option ensures the use | ||||
12 | of a strong hashing algorithm that makes password cracking attacks more | ||||
13 | difficult. |
t | 1 | Verify that RHEL 9 has the openssh-server package installed with the following command: | t | 1 | Verify that RHEL 9 has the openssh-server package installed with the following command:$ sudo dnf list --installed openssh-serveropenssh-server.x86_64 8.7p1-8.el9If the openssh-server package is not installed, this is a finding. |
2 | |||||
3 | $ sudo dnf list --installed openssh-server | ||||
4 | |||||
5 | openssh-server.x86_64 8.7p1-8.el9 | ||||
6 | |||||
7 | If the openssh-server package is not installed, this is a finding. |
n | n | 1 | If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. | ||
2 | |||||
1 | Verify the location of the non-default tally directory for the pam_faillock module with the following command: | 3 | Verify the location of the non-default tally directory for the pam_faillock module with the following command: | ||
2 | 4 | ||||
n | 3 | Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. | n | ||
4 | |||||
5 | $ grep 'dir =' /etc/security/faillock.conf | 5 | $ sudo grep -w dir /etc/security/faillock.conf | ||
6 | 6 | ||||
7 | dir = /var/log/faillock | 7 | dir = /var/log/faillock | ||
8 | 8 | ||||
9 | Check the security context type of the non-default tally directory with the following command: | 9 | Check the security context type of the non-default tally directory with the following command: | ||
10 | 10 | ||||
n | 11 | $ ls -Zd /var/log/faillock | n | 11 | $ sudo ls -Zd /var/log/faillock |
12 | 12 | ||||
13 | unconfined_u:object_r:faillog_t:s0 /var/log/faillock | 13 | unconfined_u:object_r:faillog_t:s0 /var/log/faillock | ||
14 | 14 | ||||
t | 15 | If the security context type of the non-default tally directory is not "faillog_t", this is a finding. | t | 15 | If the security context type of the non-default tally directory is not "faillog_t", then this is a finding. |
t | 1 | Verify that RHEL 9 has the openssh-clients package installed with the following command: | t | 1 | Verify that RHEL 9 has the openssh-clients package installed with the following command:$sudo dnf list --installed openssh-clientsopenssh-clients.x86_64 8.7p1-8.el9If a openssh-clients package is not installed, this is a finding. |
2 | |||||
3 | $sudo dnf list --installed openssh-clients | ||||
4 | |||||
5 | openssh-clients.x86_64 8.7p1-8.el9 | ||||
6 | |||||
7 | If a openssh-clients package is not installed, this is a finding. |
t | 1 | The RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/passwd- file must have 0644 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/group-" file has mode "0644" or less permissive with the following command: | n | 1 | To check the permissions of /etc/group- , |
2 | 2 | run the command: | |||
3 | $ sudo stat -c "%a %n" /etc/group- | 3 | $ sudo stat -c "%a %n" /etc/group- | ||
4 | 4 | If properly configured, the output should indicate the following permissions: | |||
5 | 644 /etc/group- | 5 | 644 /etc/group- | ||
6 | 6 | ||||
t | 7 | If a value of "0644" or less permissive is not returned, this is a finding. | t | 7 | If /etc/group- does not have unix mode 644, then this is a finding. |
t | 1 | Change the mode of the file "/etc/group-" to "0644" by running the following command: | t | 1 | Change the permissions of the file "/etc/passwd-" to "0644" by running the following command: |
2 | |||||
3 | $ sudo chmod 0644 /etc/group- | 2 | $ sudo chmod 0644 /etc/passwd- |
t | 1 | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. | t | 1 | RHEL 9 audit logs file must have mode 0640 or less permissive to prevent unauthorized access to the audit log. |
n | 1 | Verify the audit logs have a mode of "0600". | n | 1 | Verify the audit logs have a mode of "0640". |
2 | 2 | ||||
3 | First determine where the audit logs are stored with the following command: | 3 | First determine where the audit logs are stored with the following command: | ||
4 | 4 | ||||
5 | $ sudo grep -iw log_file /etc/audit/auditd.conf | 5 | $ sudo grep -iw log_file /etc/audit/auditd.conf | ||
6 | 6 | ||||
7 | log_file = /var/log/audit/audit.log | 7 | log_file = /var/log/audit/audit.log | ||
8 | 8 | ||||
9 | Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: | 9 | Then using the location of the audit log file, determine if the audit log files as a mode of "0640" with the following command: | ||
10 | 10 | ||||
11 | $ sudo ls -la /var/log/audit/*.log | 11 | $ sudo ls -la /var/log/audit/*.log | ||
12 | 12 | ||||
n | 13 | rw-------. 2 root root 237923 Jun 11 11:56 /var/log/audit/audit.log | n | 13 | rw-rw----. 2 root root 237923 Jun 11 11:56 /var/log/audit/audit.log |
14 | 14 | ||||
t | 15 | If the audit logs have a mode more permissive than "0600", this is a finding. | t | 15 | If the audit logs have a mode more permissive than "0640", this is a finding. |
n | 1 | Configure the audit logs to have a mode of "0600" with the following command: | n | 1 | Configure the audit logs to have a mode of "0640" with the following command: |
2 | 2 | ||||
3 | Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". | 3 | Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". | ||
4 | 4 | ||||
t | 5 | $ sudo chmod 0600 /var/log/audit/[audit_log_file] | t | 5 | $ sudo chmod 0640 /var/log/audit/[audit_log_file] |
6 | Check the group that owns the system audit logs: | 6 | Check the group that owns the system audit logs: | ||
7 | 7 | ||||
8 | $ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf | 8 | $ sudo grep -m 1 -q ^log_group /etc/audit/auditd.conf | ||
9 | 9 | ||||
10 | If the log_group is not defined or it is set to root, configure the permissions the following way: | 10 | If the log_group is not defined or it is set to root, configure the permissions the following way: | ||
11 | 11 | ||||
12 | $ sudo chmod 0640 $log_file | 12 | $ sudo chmod 0640 $log_file | ||
13 | $ sudo chmod 0440 $log_file.* | 13 | $ sudo chmod 0440 $log_file.* | ||
14 | 14 | ||||
15 | Otherwise, configure the permisssions the following way: | 15 | Otherwise, configure the permisssions the following way: | ||
16 | 16 | ||||
17 | $ sudo chmod 0600 $log_file | 17 | $ sudo chmod 0600 $log_file | ||
18 | $ sudo chmod 0400 $log_file.* | 18 | $ sudo chmod 0400 $log_file.* |
t | 1 | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. | t | 1 | nauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. |
2 | 2 | ||||
3 | Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. | 3 | Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. | ||
4 | 4 | ||||
5 | Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. | 5 | Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. | ||
6 | 6 | ||||
7 | This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. | 7 | This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. |
f | 1 | Verify that RHEL 9 libreswan service package is installed. | f | 1 | Verify that RHEL 9 libreswan service package is installed. |
2 | 2 | ||||
3 | Check that the libreswan service package is installed with the following command: | 3 | Check that the libreswan service package is installed with the following command: | ||
4 | 4 | ||||
t | 5 | $ sudo dnf list --installed libreswan | t | 5 | $ dnf list --installed libreswan |
6 | 6 | ||||
7 | libreswan.x86_64 4.6-3.el9 | 7 | libreswan.x86_64 4.6-3.el9 | ||
8 | 8 | ||||
9 | If the libreswan package is not installed, this is a finding. | 9 | If the libreswan package is not installed, this is a finding. |
t | 1 | Verify that RHEL9 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: | t | 1 | Verify that RHEL 9 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: |
2 | 2 | ||||
3 | Check the account inactivity value by performing the following command: | 3 | Check the account inactivity value by performing the following command: | ||
4 | 4 | ||||
5 | $ sudo grep -i inactive /etc/default/useradd | 5 | $ sudo grep -i inactive /etc/default/useradd | ||
6 | 6 | ||||
7 | INACTIVE=35 | 7 | INACTIVE=35 | ||
8 | 8 | ||||
9 | If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding. | 9 | If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding. |
f | 1 | Verify RHEL 9 will not accept IPv4 ICMP redirect messages. | f | 1 | Verify RHEL 9 will not accept IPv4 ICMP redirect messages. |
2 | 2 | ||||
3 | Check the value of the all "accept_redirects" variables with the following command: | 3 | Check the value of the all "accept_redirects" variables with the following command: | ||
4 | 4 | ||||
t | 5 | $ sysctl net.ipv4.conf.all.accept_redirects | t | 5 | $ sudo sysctl net.ipv4.conf.all.accept_redirects |
6 | 6 | ||||
7 | net.ipv4.conf.all.accept_redirects = 0 | 7 | net.ipv4.conf.all.accept_redirects = 0 | ||
8 | 8 | ||||
9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | 9 | If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. | ||
10 | 10 | ||||
11 | Check that the configuration files are present to enable this network parameter. | 11 | Check that the configuration files are present to enable this network parameter. | ||
12 | 12 | ||||
13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.accept_redirects | tail -1 | 13 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.accept_redirects | tail -1 | ||
14 | 14 | ||||
15 | net.ipv4.conf.all.accept_redirects = 0 | 15 | net.ipv4.conf.all.accept_redirects = 0 | ||
16 | 16 | ||||
17 | If "net.ipv4.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. | 17 | If "net.ipv4.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. |
f | 1 | Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: | f | 1 | Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: |
2 | 2 | ||||
n | 3 | $ grep pam_faillock.so /etc/pam.d/password-auth | n | 3 | $ sudo grep pam_faillock.so /etc/pam.d/password-auth |
4 | 4 | ||||
5 | auth required pam_faillock.so preauth | 5 | auth required pam_faillock.so preauth | ||
6 | auth required pam_faillock.so authfail | 6 | auth required pam_faillock.so authfail | ||
7 | account required pam_faillock.so | 7 | account required pam_faillock.so | ||
8 | 8 | ||||
t | 9 | If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding. | t | 9 | If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, then this is a finding. |
t | 1 | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | t | 1 | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. |
f | 1 | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal | f | 1 | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal |
2 | sensitive information from the target processes (e.g. SSH sessions, web browser, etc) without any additional assistance from the user (i.e. without resorting to phishing). | 2 | sensitive information from the target processes (e.g. SSH sessions, web browser, etc) without any additional assistance from the user (i.e. without resorting to phishing). | ||
t | 3 | t |
f | 1 | Verify RHEL 9 restricts usage of ptrace to descendant processes with the following commands: | f | 1 | Verify RHEL 9 restricts usage of ptrace to descendant processes with the following commands: |
2 | 2 | ||||
t | 3 | $ sysctl kernel.yama.ptrace_scope | t | 3 | $ sudo sysctl kernel.yama.ptrace_scope |
4 | 4 | ||||
5 | kernel.yama.ptrace_scope = 1 | 5 | kernel.yama.ptrace_scope = 1 | ||
6 | 6 | ||||
7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. | 7 | If the returned line does not have a value of "1", or a line is not returned, this is a finding. |
t | 1 | RHEL 9 must check the GPG signature of locally installed packages. | t | 1 | RHEL 9 must check the GPG sign of locally installed packages. |
f | 1 | To obtain a listing of all users, their UIDs, and their shells, run the | f | 1 | To obtain a listing of all users, their UIDs, and their shells, run the |
2 | command: | 2 | command: | ||
3 | 3 | ||||
4 | $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd | 4 | $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd | ||
5 | 5 | ||||
6 | Identify the system accounts from this listing. These will primarily be the accounts | 6 | Identify the system accounts from this listing. These will primarily be the accounts | ||
7 | with UID numbers less than UID_MIN, other than root. Value of the UID_MIN | 7 | with UID numbers less than UID_MIN, other than root. Value of the UID_MIN | ||
8 | directive is set in /etc/login.defs configuration file. In the default | 8 | directive is set in /etc/login.defs configuration file. In the default | ||
9 | configuration UID_MIN is set to 1000. | 9 | configuration UID_MIN is set to 1000. | ||
10 | 10 | ||||
t | 11 | If any system account (other than root) has a login shell, this is a finding. | t | 11 | If any system account (other than root) has a login shell, then this is a finding. |
n | 1 | Configure RHEL 9 so that all non-interactive accounts on the system do not have an interactive shell assigned to them. | n | 1 | Configure RHEL 9 so that all non-interactive accounts on the system have no interactive shell assigned to them. |
2 | 2 | ||||
3 | Run the following command to disable the interactive shell for a specific non-interactive user account: | 3 | Run the following command to disable the interactive shell for a specific non-interactive user account: | ||
4 | 4 | ||||
5 | $ sudo usermod --shell /sbin/nologin nobody | 5 | $ sudo usermod --shell /sbin/nologin nobody | ||
6 | 6 | ||||
t | 7 | Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. | t | 7 | Do not perform the steps in this section on the root account. Doing so mightcause the system to become inaccessible. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. |
f | 1 | Verify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. | f | 1 | Verify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. |
2 | 2 | ||||
3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | 3 | Note: If IPv6 is disabled on the system, this requirement is Not Applicable. | ||
4 | 4 | ||||
5 | Check that IPv6 forwarding is disabled using the following commands: | 5 | Check that IPv6 forwarding is disabled using the following commands: | ||
6 | 6 | ||||
t | 7 | $ sysctl net.ipv6.conf.all.forwarding | t | 7 | $ sudo sysctl net.ipv6.conf.all.forwarding |
8 | 8 | ||||
9 | net.ipv6.conf.all.forwarding = 0 | 9 | net.ipv6.conf.all.forwarding = 0 | ||
10 | 10 | ||||
11 | If the IPv6 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | 11 | If the IPv6 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. | ||
12 | 12 | ||||
13 | Check that the configuration files are present to enable this network parameter. | 13 | Check that the configuration files are present to enable this network parameter. | ||
14 | 14 | ||||
15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.forwarding | tail -1 | 15 | $ { /usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf; } | egrep -v '^(#|$)' | grep -F net.ipv6.conf.all.forwarding | tail -1 | ||
16 | 16 | ||||
17 | net.ipv6.conf.all.forwarding = 0 | 17 | net.ipv6.conf.all.forwarding = 0 | ||
18 | 18 | ||||
19 | If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding. | 19 | If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding. |
f | 1 | Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. | f | 1 | Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. |
2 | 2 | ||||
3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | 3 | Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: | ||
4 | 4 | ||||
t | 5 | net.ipv6.conf.all.forwarding = 0 | t | 5 | net.ipv6.conf.all.forwarding=0 |
6 | 6 | ||||
7 | Load settings from all system configuration files with the following command: | 7 | Load settings from all system configuration files with the following command: | ||
8 | 8 | ||||
9 | $ sudo sysctl --system | 9 | $ sudo sysctl --system |
f | 1 | Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. | f | 1 | Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. |
2 | 2 | ||||
3 | /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 | 3 | /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
4 | /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 | 4 | /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
5 | /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 | 5 | /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
6 | /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 | 6 | /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
7 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | 7 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
8 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | 8 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
9 | /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 | 9 | /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
t | 10 | t | |||
11 | |||||
12 |
n | 1 | Verify the ownership of the "/etc/gshadow" file with the following command: | n | 1 | To check the ownership of /etc/gshadow , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/gshadow | ||||
4 | If properly configured, the output should indicate the following owner: | ||||
5 | root /etc/gshadow | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%U %n" /etc/gshadow | t | ||
4 | |||||
5 | root /etc/gshadow | ||||
6 | |||||
7 | If "/etc/gshadow" file does not have an owner of "root", this is a finding. | 7 | If /etc/gshadow does not have an owner of root, then this is a finding. |
t | 1 | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | t | 1 | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. |
n | 1 | Verify SSH cllient is configured to use only ciphers employing FIPS 140-3 approved algorithms with the following command: | n | 1 | Verify SSH cllient is configured to use only ciphers employing FIPS 140-3-approved algorithms with the following command: |
2 | 2 | ||||
3 | $ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config | 3 | $ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config | ||
4 | MACs hmac-sha2-512,hmac-sha2-256 | 4 | MACs hmac-sha2-512,hmac-sha2-256 | ||
5 | 5 | ||||
6 | 6 | ||||
7 | If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, they are missing, or commented out, this is a finding. | 7 | If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, they are missing, or commented out, this is a finding. | ||
t | 8 | t |
n | 1 | Configure the RHEL 9 SSH client to use only MACs employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following line: | n | 1 | Configure the RHEL 9 SSH client to use only MACs employing FIPS 140-3-approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following line: |
2 | 2 | ||||
3 | MACs hmac-sha2-512,hmac-sha2-256 | 3 | MACs hmac-sha2-512,hmac-sha2-256 | ||
4 | 4 | ||||
5 | A reboot is required for the changes to take effect. | 5 | A reboot is required for the changes to take effect. | ||
t | 6 | t |
n | 1 | Verify that RHEL 9 OpenSSL library is configured to use only ciphers employing FIPS 140-3 approved algorithms with the following command: | n | 1 | Verify that RHEL 9 OpenSSL library is configured to use only ciphers employing FIPS 140-3-approved algorithms: |
2 | |||||
3 | Verify that system-wide crypto policies are in effect: | ||||
2 | 4 | ||||
3 | $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf | 5 | $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf | ||
4 | 6 | ||||
t | 5 | .include = /etc/crypto-policies/back-ends/opensslcnf.config | t | 7 | .include /etc/crypto-policies/back-ends/opensslcnf.config |
6 | 8 | ||||
7 | If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding. | 9 | If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding. |
t | 1 | Configure the RHEL 9 OpenSSL library to use only ciphers employing FIPS 140-3 approved algorithms with the following command: | t | 1 | Configure the RHEL 9 OpenSSL library to use only ciphers employing FIPS 140-3-approved algorithms with the following command: |
2 | 2 | ||||
3 | $ sudo fips-mode-setup --enable | 3 | $ sudo fips-mode-setup --enable | ||
4 | 4 | ||||
5 | A reboot is required for the changes to take effect. | 5 | A reboot is required for the changes to take effect. |
t | 1 | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | t | 1 | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. |
n | 1 | Verify RHEL 9 is configured to ignore the Ctrl-Alt-Del sequence in the Gnome GUI with the following command: | n | 1 | To ensure that users cannot enable the Ctrl-Alt-Del sequence in the Gnome GUI, run the following: |
2 | 2 | ||||
3 | Note: This requirement assumes the use of the RHEL 9 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. | 3 | Note: This requirement assumes the use of the RHEL 9 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. | ||
4 | 4 | ||||
n | 5 | $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout | n | 5 | $ grep logout /etc/dconf/db/local.d/locks/* |
6 | 6 | ||||
n | 7 | "['']" | n | 7 | If properly configured, the output should be: |
8 | 8 | ||||
t | t | 9 | "/org/gnome/settings-daemon/plugins/media-keys/logout" | ||
10 | |||||
9 | If Gnome is configured to shut down when Ctrl-Alt-Del is pressed, this is a finding. | 11 | If Gnome can be configured to shut down when Ctrl-Alt-Del is pressed, then this is a finding. |
n | 1 | Configure RHEL 9 to ignore the Ctrl-Alt-Del sequence in the GNOME GUI, if it is installed and the system is used to host services whos availability could be impacted. | n | 1 | Configure RHEL 9 to disallow the user changing the Ctrl-Alt-Del sequence in the GNOME GUI, if it is installed and the system is used to host services whos availability could be impacted. |
2 | 2 | ||||
n | 3 | Add or update the [org/gnome/settings-daemon/plugins/media-keys] section of the /etc/dconf/db/local.d/00-security-settings database file and add or update the following lines: | n | 3 | Create a database to container system-wide graphical user logon settings (if it does not already exist) with the following command: |
4 | 4 | ||||
t | t | 5 | $ sudo touch /etc/dconf/db/local.d/locks/session | ||
6 | |||||
7 | Add the following line to the session locks file to prevent unprivileged users from modifying the Ctrl-Alt-Del setting: | ||||
8 | |||||
5 | [org/gnome/settings-daemon/plugins/media-keys] | 9 | /org/gnome/settings-daemon/plugins/media-keys/logout | ||
6 | logout=[''] | ||||
7 | 10 | ||||
8 | Run the following command to update the database: | 11 | Run the following command to update the database: | ||
9 | 12 | ||||
10 | $ sudo dconf update | 13 | $ sudo dconf update |
f | 1 | Verify that interactive users on the system have a home directory assigned with the following command: | f | 1 | Verify that interactive users on the system have a home directory assigned with the following command: |
2 | 2 | ||||
3 | $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd | 3 | $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd | ||
4 | 4 | ||||
n | 5 | smithk:x:1000:1000:smithk:/home/smithk:/bin/bash | n | ||
6 | throckw:x:1001:1001:throckw:/home/throckw:/bin/bash | ||||
7 | |||||
8 | Inspect the output and verify that all interactive users (normally users with a UID greater that 1000) have a home directory defined. | 5 | Inspect the output and verify that all interactive users (normally users with a UID greater that 1000) have a home directory defined. | ||
9 | 6 | ||||
t | 10 | If users home directory is not defined, this is a finding. | t | 7 | If users home directory is not defined, then this is a finding. |
t | 1 | Create and assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. | t | 1 | Assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. |
t | 1 | The RHEL 9 systemd-journald service must be enabled. | t | 1 | The RHEL 9 service systemd-journald must be enabled. |
n | 1 | Verify that "systemd-journald" is active with the following command: | n | 1 | Run the following command to determine the current status of the |
2 | systemd-journald service: | ||||
3 | $ sudo systemctl is-active systemd-journald | ||||
4 | If the service is running, it should return the following: active | ||||
2 | 5 | ||||
t | 3 | $ systemctl is-active systemd-journald | t | ||
4 | |||||
5 | active | ||||
6 | |||||
7 | If the systemd-journald service is not active, this is a finding. | 6 | If the systemd-journald service is not running, then this is a finding. |
t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
t | 1 | The RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. | t | 1 | The RHEL 9 /etc/shadow- file must have 0000 or less permissive to prevent unauthorized access. |
n | 1 | Verify that the "/etc/shadow-" file has mode "0000" with the following command: | n | 1 | To check the permissions of /etc/shadow- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%a %n" /etc/shadow- | ||||
4 | If properly configured, the output should indicate the following permissions: | ||||
5 | 000 /etc/shadow- | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%a %n" /etc/shadow- | t | 7 | If /etc/shadow- does not have unix mode 000, then this is a finding. |
4 | |||||
5 | 0 /etc/shadow- | ||||
6 | |||||
7 | If a value of "0" is not returned, this is a finding. |
t | 1 | Change the mode of the file "/etc/shadow-" to "0000" by running the following command: | t | 1 | Change the permissions of the file "/etc/shadow-" to "0000" by running the following command: |
2 | |||||
3 | $ sudo chmod 0000 /etc/shadow- | 2 | $ sudo chmod 0000 /etc/shadow- |
t | 1 | The fapolicyd package can be installed with the following command: | t | 1 | The fapolicyd package can be installed with the following command: |
2 | 2 | ||||
3 | $ sudo dnf install fapolicyd | 3 | $ sudo dnf install fapolicyd |
n | 1 | Verify the group ownership of the "/etc/gshadow" file with the following command: | n | 1 | To check the group ownership of /etc/gshadow , |
2 | run the command: | ||||
3 | $ sudo stat -c "%G %n" /etc/gshadow | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /etc/gshadow | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/gshadow | t | ||
4 | |||||
5 | root /etc/gshadow | ||||
6 | |||||
7 | If "/etc/gshadow" file does not have a group owner of "root", this is a finding. | 7 | If /etc/gshadow does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/gshadow to root by running the following command: | f | 1 | Change the group of the file /etc/gshadow to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/gshadow | 2 | $ sudo chgrp root /etc/gshadow |
n | 1 | Verify the group ownership of the "/etc/group-" file with the following command: | n | 1 | To check the group ownership of /etc/group- , |
2 | run the command: | ||||
3 | $ sudo stat -c "%U %n" /etc/group- | ||||
4 | If properly configured, the output should indicate the following group-owner: | ||||
5 | root /etc/group- | ||||
2 | 6 | ||||
t | 3 | $ sudo stat -c "%G %n" /etc/group- | t | ||
4 | |||||
5 | root /etc/group- | ||||
6 | |||||
7 | If "/etc/group-" file does not have a group owner of "root", this is a finding. | 7 | If /etc/group- does not have a group owner of root, then this is a finding. |
f | 1 | Change the group of the file /etc/group- to root by running the following command: | f | 1 | Change the group of the file /etc/group- to root by running the following command: |
t | 2 | t | |||
3 | $ sudo chgrp root /etc/group- | 2 | $ sudo chgrp root /etc/group- |
t | 1 | Alan May | t | 1 | It is critical for the appropriate personnel to be aware if a system |
2 | is at risk of failing to process audit logs as required. Without this | ||||
3 | notification, the security personnel may be unaware of an impending failure of | ||||
4 | the audit capability, and system operation may be adversely affected. | ||||
5 | |||||
6 | |||||
7 | |||||
8 | Audit processing failures include software/hardware errors, failures in the | ||||
9 | audit capturing mechanisms, and audit storage capacity being reached or | ||||
10 | exceeded. |
f | 1 | Configure RHEL 9 to shutdown when auditing failures occur. | f | 1 | Configure RHEL 9 to shutdown when auditing failures occur. |
2 | 2 | ||||
3 | Add the following line to the bottom of the /etc/audit/audit.rules file: | 3 | Add the following line to the bottom of the /etc/audit/audit.rules file: | ||
t | 4 | t | |||
5 | -f 2 | 4 | -f 2 |