diff --git a/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml similarity index 83% rename from shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml rename to shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml index cf7ead7c0dd0..2bb4af3b9e62 100644 --- a/shared/references/disa-stig-rhel8-v1r12-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml @@ -1,35 +1,35 @@ - - + + - - - - + + + + - - - - + + + + - - + + - + Red Hat Enterprise Linux 8 - oval:mil.disa.stig.rhel8os:def:1 + oval:mil.disa.stig.rhel8os:def:1 - - + + accepted Red Hat Enterprise Linux 8 STIG SCAP Benchmark This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -40,19 +40,19 @@ DISA STIG.DOD.MIL - Release: 1.12 Benchmark Date: 24 Jan 2024 + Release: 1.13 Benchmark Date: 24 July 2024 3.4.1.22916 1.10.0 - - RHEL 8.3 or Lower - - - - + + RHEL 8.3 or Lower + + + + - 001.012 + 001.013 DISA DISA @@ -2201,231 +2201,236 @@ + + Disable Slow Rules + This profile disables rules known to have poor performance in some environments, such as systems with large numbers of user accounts. + + CAT I Only This profile only includes rules that are Severity Category I. - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - + + + + + + - - - - + + - - - - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + - - - - - - - + - - - - - - - - - + + + + + + + + + - - - - - - - - + - - - - - + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - + - - + + + + + + + + + + + + + + - + + + - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + - - - - - + + + + + + + + + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010000 + + RHEL-08-010000 RHEL 8 must be a vendor-supported release. <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. @@ -2442,15 +2447,15 @@ Note: The life-cycle time spans and dates are subject to adjustment.</VulnDis Upgrade to a supported version of RHEL 8. - + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - - RHEL-08-010020 + + RHEL-08-010020 RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. @@ -2478,15 +2483,15 @@ Enable FIPS mode after installation (not strict FIPS-compliant) with the followi Reboot the system for the changes to take effect. - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - - RHEL-08-010110 + + RHEL-08-010110 RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. @@ -2508,15 +2513,15 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M ENCRYPT_METHOD SHA512 - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - - RHEL-08-010120 + + RHEL-08-010120 RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. <VulnDiscussion>The system must use a strong hashing algorithm to store the password. @@ -2532,15 +2537,15 @@ Passwords need to be protected at all times, and encryption is the standard meth Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - - RHEL-08-010130 + + RHEL-08-010130 The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. <VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. @@ -2560,15 +2565,15 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ SHA_CRYPT_MIN_ROUNDS 5000 - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - RHEL-08-010140 + + RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2588,15 +2593,15 @@ Enter password: Confirm password: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - RHEL-08-010150 + + RHEL-08-010150 RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2616,15 +2621,15 @@ Enter password: Confirm password: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - RHEL-08-010151 + + RHEL-08-010151 RHEL 8 operating systems must require authentication upon booting into rescue mode. <VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2640,15 +2645,15 @@ Confirm password: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - RHEL-08-010160 + + RHEL-08-010160 The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2670,15 +2675,15 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include password sufficient pam_unix.so sha512 - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - RHEL-08-010161 + + RHEL-08-010161 RHEL 8 must prevent system daemons from using Kerberos for authentication. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2700,15 +2705,15 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Remove any files with the .keytab extension from the operating system. - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - RHEL-08-010162 + + RHEL-08-010162 The krb5-workstation package must not be installed on RHEL 8. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -2730,15 +2735,15 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-workstation - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - RHEL-08-010171 + + RHEL-08-010171 RHEL 8 must have policycoreutils package installed. <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -2756,15 +2761,15 @@ Policycoreutils contains the policy core utilities that are required for basic o $ sudo yum install policycoreutils - + SRG-OS-000163-GPOS-00072 <GroupDescription></GroupDescription> - - RHEL-08-010200 + + RHEL-08-010200 RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. <VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. @@ -2794,15 +2799,15 @@ For the changes to take effect, the SSH daemon must be restarted: $ sudo systemctl restart sshd.service - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010210 + + RHEL-08-010210 The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2820,15 +2825,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0640 /var/log/messages - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010220 + + RHEL-08-010220 The RHEL 8 /var/log/messages file must be owned by root. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2846,15 +2851,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log/messages - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010230 + + RHEL-08-010230 The RHEL 8 /var/log/messages file must be group-owned by root. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2872,15 +2877,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log/messages - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010240 + + RHEL-08-010240 The RHEL 8 /var/log directory must have mode 0755 or less permissive. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2898,15 +2903,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0755 /var/log - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010250 + + RHEL-08-010250 The RHEL 8 /var/log directory must be owned by root. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2924,15 +2929,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log - + SRG-OS-000206-GPOS-00084 <GroupDescription></GroupDescription> - - RHEL-08-010260 + + RHEL-08-010260 The RHEL 8 /var/log directory must be group-owned by root. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -2950,15 +2955,15 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010292 + + RHEL-08-010292 RHEL 8 must ensure the SSH server uses strong entropy. <VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. @@ -2980,15 +2985,15 @@ SSH_USE_STRONG_RNG=32 The SSH service must be restarted for changes to take effect. - + SRG-OS-000250-GPOS-00093 <GroupDescription></GroupDescription> - - RHEL-08-010294 + + RHEL-08-010294 The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -3018,15 +3023,15 @@ DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect. - + SRG-OS-000259-GPOS-00100 <GroupDescription></GroupDescription> - - RHEL-08-010300 + + RHEL-08-010300 RHEL 8 system commands must have mode 755 or less permissive. <VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -3046,15 +3051,15 @@ Run the following command, replacing "[FILE]" with any system command with a mod $ sudo chmod 755 [FILE] - + SRG-OS-000259-GPOS-00100 <GroupDescription></GroupDescription> - - RHEL-08-010310 + + RHEL-08-010310 RHEL 8 system commands must be owned by root. <VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -3074,15 +3079,15 @@ Run the following command, replacing "[FILE]" with any system command file not o $ sudo chown root [FILE] - + SRG-OS-000259-GPOS-00100 <GroupDescription></GroupDescription> - - RHEL-08-010320 + + RHEL-08-010320 RHEL 8 system commands must be group-owned by root or a system account. <VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -3102,15 +3107,15 @@ Run the following command, replacing "[FILE]" with any system command file not g $ sudo chgrp root [FILE] - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - - RHEL-08-010370 + + RHEL-08-010370 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3130,15 +3135,15 @@ Verifying the authenticity of the software prior to installation validates the i gpgcheck=1 - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - - RHEL-08-010371 + + RHEL-08-010371 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3160,15 +3165,15 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: localpkg_gpgcheck=True - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - - RHEL-08-010372 + + RHEL-08-010372 RHEL 8 must prevent the loading of a new kernel for later execution. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3208,15 +3213,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - - RHEL-08-010373 + + RHEL-08-010373 RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. @@ -3260,15 +3265,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - - RHEL-08-010374 + + RHEL-08-010374 RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. @@ -3312,15 +3317,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - RHEL-08-010375 + + RHEL-08-010375 RHEL 8 must restrict access to the kernel message buffer. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -3364,15 +3369,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - RHEL-08-010376 + + RHEL-08-010376 RHEL 8 must prevent kernel profiling by unprivileged users. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -3416,15 +3421,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - - RHEL-08-010380 + + RHEL-08-010380 RHEL 8 must require users to provide a password for privilege escalation. <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3442,15 +3447,15 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - - RHEL-08-010381 + + RHEL-08-010381 RHEL 8 must require users to reauthenticate for privilege escalation. <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3468,15 +3473,15 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + SRG-OS-000375-GPOS-00160 <GroupDescription></GroupDescription> - - RHEL-08-010390 + + RHEL-08-010390 RHEL 8 must have the packages required for multifactor authentication installed. <VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. @@ -3500,15 +3505,15 @@ This requirement only applies to components where this is specific to the functi $ sudo yum install openssl-pkcs11 - + SRG-OS-000433-GPOS-00193 <GroupDescription></GroupDescription> - - RHEL-08-010430 + + RHEL-08-010430 RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. @@ -3548,15 +3553,15 @@ Issue the following command to make the changes take effect: $ sudo sysctl --system - + SRG-OS-000437-GPOS-00194 <GroupDescription></GroupDescription> - - RHEL-08-010440 + + RHEL-08-010440 YUM must remove all software components after updated versions have been installed on RHEL 8. <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3574,15 +3579,15 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con clean_requirements_on_remove=True - + SRG-OS-000445-GPOS-00199 <GroupDescription></GroupDescription> - - RHEL-08-010450 + + RHEL-08-010450 RHEL 8 must enable the SELinux targeted policy. <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -3604,15 +3609,15 @@ SELINUXTYPE=targeted A reboot is required for the changes to take effect. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010460 + + RHEL-08-010460 There must be no shosts.equiv files on the RHEL 8 operating system. <VulnDiscussion>The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3628,15 +3633,15 @@ A reboot is required for the changes to take effect. $ sudo rm /etc/ssh/shosts.equiv - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010470 + + RHEL-08-010470 There must be no .shosts files on the RHEL 8 operating system. <VulnDiscussion>The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3652,15 +3657,15 @@ $ sudo rm /etc/ssh/shosts.equiv $ sudo rm /[path]/[to]/[file]/.shosts - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010480 + + RHEL-08-010480 The RHEL 8 SSH public host key files must have mode 0644 or less permissive. <VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3680,15 +3685,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010490 + + RHEL-08-010490 The RHEL 8 SSH private host key files must have mode 0640 or less permissive. <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3708,15 +3713,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010500 + + RHEL-08-010500 The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. <VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3736,15 +3741,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010520 + + RHEL-08-010520 The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. <VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3766,15 +3771,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010521 + + RHEL-08-010521 The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. <VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3796,15 +3801,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010540 + + RHEL-08-010540 RHEL 8 must use a separate file system for /var. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3818,15 +3823,15 @@ $ sudo systemctl restart sshd.service Migrate the "/var" path onto a separate file system. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010541 + + RHEL-08-010541 RHEL 8 must use a separate file system for /var/log. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3840,15 +3845,15 @@ $ sudo systemctl restart sshd.service Migrate the "/var/log" path onto a separate file system. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010542 + + RHEL-08-010542 RHEL 8 must use a separate file system for the system audit data path. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3862,15 +3867,15 @@ $ sudo systemctl restart sshd.service Migrate the system audit data path onto a separate file system. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010543 + + RHEL-08-010543 A separate RHEL 8 filesystem must be used for the /tmp directory. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3884,15 +3889,15 @@ $ sudo systemctl restart sshd.service Migrate the "/tmp" directory onto a separate file system/partition. - + SRG-OS-000109-GPOS-00056 <GroupDescription></GroupDescription> - - RHEL-08-010550 + + RHEL-08-010550 RHEL 8 must not permit direct logons to the root account using remote access via SSH. <VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3914,15 +3919,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010561 + + RHEL-08-010561 The rsyslog service must be running in RHEL 8. <VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. @@ -3942,15 +3947,15 @@ $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010571 + + RHEL-08-010571 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3964,15 +3969,15 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010580 + + RHEL-08-010580 RHEL 8 must prevent special devices on non-root local partitions. <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3986,15 +3991,15 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010630 + + RHEL-08-010630 RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4008,15 +4013,15 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010640 + + RHEL-08-010640 RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4030,15 +4035,15 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010650 + + RHEL-08-010650 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4052,15 +4057,15 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010671 + + RHEL-08-010671 RHEL 8 must disable the kernel.core_pattern. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -4098,15 +4103,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010673 + + RHEL-08-010673 RHEL 8 must disable core dumps for all users. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -4126,15 +4131,15 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard core 0 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010674 + + RHEL-08-010674 RHEL 8 must disable storing core dumps. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -4154,15 +4159,15 @@ Add or modify the following line in /etc/systemd/coredump.conf: Storage=none - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010675 + + RHEL-08-010675 RHEL 8 must disable core dump backtraces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -4182,15 +4187,15 @@ Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010760 + + RHEL-08-010760 All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. <VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4206,15 +4211,15 @@ ProcessSizeMax=0 CREATE_HOME yes - + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - - RHEL-08-010830 + + RHEL-08-010830 RHEL 8 must not allow users to override SSH environment variables. <VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4236,15 +4241,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020010 + + RHEL-08-020010 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4274,15 +4279,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020011 + + RHEL-08-020011 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4306,15 +4311,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: deny = 3 - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020012 + + RHEL-08-020012 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4344,15 +4349,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020013 + + RHEL-08-020013 RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4376,15 +4381,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900 - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020014 + + RHEL-08-020014 RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4414,15 +4419,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020015 + + RHEL-08-020015 RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4446,15 +4451,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0 - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020018 + + RHEL-08-020018 RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4484,15 +4489,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020019 + + RHEL-08-020019 RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4516,15 +4521,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: silent - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020020 + + RHEL-08-020020 RHEL 8 must log user name information when unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4556,15 +4561,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020021 + + RHEL-08-020021 RHEL 8 must log user name information when unsuccessful logon attempts occur. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4588,15 +4593,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: audit - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020022 + + RHEL-08-020022 RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4628,15 +4633,15 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - RHEL-08-020023 + + RHEL-08-020023 RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. @@ -4660,15 +4665,15 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root - + SRG-OS-000027-GPOS-00008 <GroupDescription></GroupDescription> - - RHEL-08-020024 + + RHEL-08-020024 RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. @@ -4688,15 +4693,15 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard maxlogins 10 - + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - - RHEL-08-020040 + + RHEL-08-020040 RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4725,15 +4730,15 @@ Reload tmux configuration to take effect. This can be performed in tmux while it $ tmux source-file /etc/tmux.conf - + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - - RHEL-08-020042 + + RHEL-08-020042 RHEL 8 must prevent users from disabling session control mechanisms. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4753,15 +4758,15 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - - RHEL-08-020100 + + RHEL-08-020100 RHEL 8 must ensure the password complexity module is enabled in the password-auth file. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. @@ -4783,15 +4788,15 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin password requisite pam_pwquality.so - + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - - RHEL-08-020110 + + RHEL-08-020110 RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4815,15 +4820,15 @@ ucredit = -1 Remove any configurations that conflict with the above value. - + SRG-OS-000070-GPOS-00038 <GroupDescription></GroupDescription> - - RHEL-08-020120 + + RHEL-08-020120 RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4847,15 +4852,15 @@ lcredit = -1 Remove any configurations that conflict with the above value. - + SRG-OS-000071-GPOS-00039 <GroupDescription></GroupDescription> - - RHEL-08-020130 + + RHEL-08-020130 RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4879,15 +4884,15 @@ dcredit = -1 Remove any configurations that conflict with the above value. - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - - RHEL-08-020140 + + RHEL-08-020140 RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4911,15 +4916,15 @@ maxclassrepeat = 4 Remove any configurations that conflict with the above value. - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - - RHEL-08-020150 + + RHEL-08-020150 RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4943,15 +4948,15 @@ maxrepeat = 3 Remove any configurations that conflict with the above value. - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - - RHEL-08-020160 + + RHEL-08-020160 RHEL 8 must require the change of at least four character classes when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4975,15 +4980,15 @@ minclass = 4 Remove any configurations that conflict with the above value. - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - - RHEL-08-020170 + + RHEL-08-020170 RHEL 8 must require the change of at least 8 characters when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -5007,15 +5012,15 @@ difok = 8 Remove any configurations that conflict with the above value. - + SRG-OS-000075-GPOS-00043 <GroupDescription></GroupDescription> - - RHEL-08-020180 + + RHEL-08-020180 RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5031,15 +5036,15 @@ Remove any configurations that conflict with the above value. $ sudo chage -m 1 [user] - + SRG-OS-000075-GPOS-00043 <GroupDescription></GroupDescription> - - RHEL-08-020190 + + RHEL-08-020190 RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5057,15 +5062,15 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1 - + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - - RHEL-08-020200 + + RHEL-08-020200 RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5083,15 +5088,15 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60 - + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - - RHEL-08-020210 + + RHEL-08-020210 RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5107,15 +5112,15 @@ PASS_MAX_DAYS 60 $ sudo chage -M 60 [user] - + SRG-OS-000077-GPOS-00045 <GroupDescription></GroupDescription> - - RHEL-08-020220 + + RHEL-08-020220 RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. @@ -5139,15 +5144,15 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - - RHEL-08-020230 + + RHEL-08-020230 RHEL 8 passwords must have a minimum of 15 characters. <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5175,15 +5180,15 @@ minlen = 15 Remove any configurations that conflict with the above value. - + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - - RHEL-08-020231 + + RHEL-08-020231 RHEL 8 passwords for new users must have a minimum of 15 characters. <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5205,15 +5210,15 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15 - + SRG-OS-000118-GPOS-00060 <GroupDescription></GroupDescription> - - RHEL-08-020260 + + RHEL-08-020260 RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. @@ -5235,15 +5240,15 @@ $ sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - + SRG-OS-000266-GPOS-00101 <GroupDescription></GroupDescription> - - RHEL-08-020280 + + RHEL-08-020280 All RHEL 8 passwords must contain at least one special character. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -5267,15 +5272,15 @@ ocredit = -1 Remove any configurations that conflict with the above value. - + SRG-OS-000383-GPOS-00166 <GroupDescription></GroupDescription> - - RHEL-08-020290 + + RHEL-08-020290 RHEL 8 must prohibit the use of cached authentications after one day. <VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. @@ -5295,15 +5300,15 @@ Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[ offline_credentials_expiration = 1 - + SRG-OS-000480-GPOS-00225 <GroupDescription></GroupDescription> - - RHEL-08-020300 + + RHEL-08-020300 RHEL 8 must prevent the use of dictionary words for passwords. <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5323,15 +5328,15 @@ dictcheck=1 Remove any configurations that conflict with the above value. - + SRG-OS-000480-GPOS-00226 <GroupDescription></GroupDescription> - - RHEL-08-020310 + + RHEL-08-020310 RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. <VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. @@ -5351,15 +5356,15 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr FAIL_DELAY 4 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020330 + + RHEL-08-020330 RHEL 8 must not allow accounts configured with blank or null passwords. <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5379,15 +5384,15 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020340 + + RHEL-08-020340 RHEL 8 must display the date and time of the last successful account logon upon logon. <VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5405,15 +5410,15 @@ Add the following line to the top of "/etc/pam.d/postlogin": session required pam_lastlog.so showfailed - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020350 + + RHEL-08-020350 RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. <VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5433,15 +5438,15 @@ PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect. - + SRG-OS-000480-GPOS-00228 <GroupDescription></GroupDescription> - - RHEL-08-020351 + + RHEL-08-020351 RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5459,15 +5464,15 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 UMASK 077 - + SRG-OS-000326-GPOS-00126 <GroupDescription></GroupDescription> - - RHEL-08-030000 + + RHEL-08-030000 The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. @@ -5493,15 +5498,15 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000046-GPOS-00022 <GroupDescription></GroupDescription> - - RHEL-08-030020 + + RHEL-08-030020 The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -5523,15 +5528,15 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator action_mail_acct = root - + SRG-OS-000047-GPOS-00023 <GroupDescription></GroupDescription> - - RHEL-08-030040 + + RHEL-08-030040 The RHEL 8 System must take appropriate action when an audit processing failure occurs. <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -5555,15 +5560,15 @@ disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - + SRG-OS-000047-GPOS-00023 <GroupDescription></GroupDescription> - - RHEL-08-030060 + + RHEL-08-030060 The RHEL 8 audit system must take appropriate action when the audit storage volume is full. <VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. @@ -5589,15 +5594,15 @@ disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-030061 + + RHEL-08-030061 The RHEL 8 audit system must audit local events. <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5617,15 +5622,15 @@ Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - - RHEL-08-030062 + + RHEL-08-030062 RHEL 8 must label all off-loaded audit logs before sending them to the central log server. <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5649,15 +5654,15 @@ name_format = hostname The audit daemon must be restarted for changes to take effect. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-030063 + + RHEL-08-030063 RHEL 8 must resolve audit information before writing to disk. <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5679,15 +5684,15 @@ log_format = ENRICHED The audit daemon must be restarted for changes to take effect. - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030070 + + RHEL-08-030070 RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -5707,15 +5712,15 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO $ sudo chmod 0600 /var/log/audit/audit.log - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030080 + + RHEL-08-030080 RHEL 8 audit logs must be owned by root to prevent unauthorized read access. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -5737,15 +5742,15 @@ $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030090 + + RHEL-08-030090 RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5765,15 +5770,15 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO log_group = root - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030100 + + RHEL-08-030100 RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5795,15 +5800,15 @@ $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030110 + + RHEL-08-030110 RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5825,15 +5830,15 @@ $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030120 + + RHEL-08-030120 RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5855,15 +5860,15 @@ $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030121 + + RHEL-08-030121 RHEL 8 audit system must protect auditing rules from unauthorized change. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5887,15 +5892,15 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - RHEL-08-030122 + + RHEL-08-030122 RHEL 8 audit system must protect logon UIDs from unauthorized change. <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. @@ -5917,15 +5922,15 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO --loginuid-immutable - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030130 + + RHEL-08-030130 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -5949,15 +5954,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030140 + + RHEL-08-030140 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -5981,15 +5986,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030150 + + RHEL-08-030150 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6013,15 +6018,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030160 + + RHEL-08-030160 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6045,15 +6050,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030170 + + RHEL-08-030170 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6077,15 +6082,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030171 + + RHEL-08-030171 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6109,15 +6114,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030172 + + RHEL-08-030172 RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6141,15 +6146,15 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030180 + + RHEL-08-030180 The RHEL 8 audit package must be installed. <VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -6173,15 +6178,15 @@ Install the audit service (if the audit service is not already installed) with t $ sudo yum install audit - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030190 + + RHEL-08-030190 Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6205,15 +6210,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030200 + + RHEL-08-030200 The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6250,15 +6255,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030250 + + RHEL-08-030250 Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6282,15 +6287,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030260 + + RHEL-08-030260 Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6314,15 +6319,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030280 + + RHEL-08-030280 Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6346,15 +6351,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030290 + + RHEL-08-030290 Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6378,15 +6383,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030300 + + RHEL-08-030300 Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6410,15 +6415,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030301 + + RHEL-08-030301 Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6442,15 +6447,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030302 + + RHEL-08-030302 Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6475,15 +6480,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030310 + + RHEL-08-030310 Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6507,15 +6512,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030311 + + RHEL-08-030311 Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6539,15 +6544,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030312 + + RHEL-08-030312 Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6571,15 +6576,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030313 + + RHEL-08-030313 Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6603,15 +6608,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030314 + + RHEL-08-030314 Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6635,15 +6640,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030315 + + RHEL-08-030315 Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6667,15 +6672,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030316 + + RHEL-08-030316 Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6699,15 +6704,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030317 + + RHEL-08-030317 Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6731,15 +6736,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030320 + + RHEL-08-030320 Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6763,15 +6768,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030330 + + RHEL-08-030330 Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6795,15 +6800,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030340 + + RHEL-08-030340 Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6827,15 +6832,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030350 + + RHEL-08-030350 Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6859,15 +6864,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030360 + + RHEL-08-030360 Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6894,15 +6899,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030361 + + RHEL-08-030361 Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6934,15 +6939,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030370 + + RHEL-08-030370 Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6966,15 +6971,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030390 + + RHEL-08-030390 Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6999,15 +7004,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030400 + + RHEL-08-030400 Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7031,15 +7036,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030410 + + RHEL-08-030410 Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7063,15 +7068,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030420 + + RHEL-08-030420 Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7106,15 +7111,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030480 + + RHEL-08-030480 Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7145,15 +7150,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030490 + + RHEL-08-030490 Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7183,15 +7188,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030550 + + RHEL-08-030550 Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7215,15 +7220,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030560 + + RHEL-08-030560 Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7247,15 +7252,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030570 + + RHEL-08-030570 Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7279,15 +7284,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030580 + + RHEL-08-030580 Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7321,15 +7326,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - RHEL-08-030600 + + RHEL-08-030600 Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. <VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7363,15 +7368,15 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000063-GPOS-00032 <GroupDescription></GroupDescription> - - RHEL-08-030610 + + RHEL-08-030610 RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. <VulnDiscussion>Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -7389,15 +7394,15 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf - + SRG-OS-000256-GPOS-00097 <GroupDescription></GroupDescription> - - RHEL-08-030620 + + RHEL-08-030620 RHEL 8 audit tools must have a mode of 0755 or less permissive. <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7419,15 +7424,15 @@ $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - + SRG-OS-000256-GPOS-00097 <GroupDescription></GroupDescription> - - RHEL-08-030630 + + RHEL-08-030630 RHEL 8 audit tools must be owned by root. <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7451,15 +7456,15 @@ $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root". - + SRG-OS-000256-GPOS-00097 <GroupDescription></GroupDescription> - - RHEL-08-030640 + + RHEL-08-030640 RHEL 8 audit tools must be group-owned by root. <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -7483,15 +7488,15 @@ $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root". - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-030670 + + RHEL-08-030670 RHEL 8 must have the packages required for offloading audit logs installed. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7518,15 +7523,15 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-030680 + + RHEL-08-030680 RHEL 8 must have the packages required for encrypting offloaded audit logs installed. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7553,15 +7558,15 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog-gnutls - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - - RHEL-08-030700 + + RHEL-08-030700 RHEL 8 must take appropriate action when the internal event queue is full. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -7585,15 +7590,15 @@ overflow_action = syslog The audit daemon must be restarted for changes to take effect. - + SRG-OS-000343-GPOS-00134 <GroupDescription></GroupDescription> - - RHEL-08-030730 + + RHEL-08-030730 RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -7611,15 +7616,15 @@ space_left = 25% Note: Option names and values in the auditd.conf file are case insensitive. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-030741 + + RHEL-08-030741 RHEL 8 must disable the chrony daemon from acting as a server. <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -7641,15 +7646,15 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc port 0 - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-030742 + + RHEL-08-030742 RHEL 8 must disable network management of the chrony daemon. <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. @@ -7671,15 +7676,15 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc cmdport 0 - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040000 + + RHEL-08-040000 RHEL 8 must not have the telnet-server package installed. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7705,15 +7710,15 @@ If a privileged user were to log on using this service, the privileged user pass $ sudo yum remove telnet-server - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040001 + + RHEL-08-040001 RHEL 8 must not have any automated bug reporting tools installed. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7735,15 +7740,15 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove abrt* - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040002 + + RHEL-08-040002 RHEL 8 must not have the sendmail package installed. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7765,15 +7770,15 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove sendmail - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040010 + + RHEL-08-040010 RHEL 8 must not have the rsh-server package installed. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7797,15 +7802,15 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion $ sudo yum remove rsh-server - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040021 + + RHEL-08-040021 RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7830,15 +7835,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040022 + + RHEL-08-040022 RHEL 8 must disable the controller area network (CAN) protocol. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7863,15 +7868,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040023 + + RHEL-08-040023 RHEL 8 must disable the stream control transmission protocol (SCTP). <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7896,15 +7901,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040024 + + RHEL-08-040024 RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7929,15 +7934,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040025 + + RHEL-08-040025 RHEL 8 must disable mounting of cramfs. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7962,15 +7967,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - RHEL-08-040026 + + RHEL-08-040026 RHEL 8 must disable IEEE 1394 (FireWire) Support. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -7993,15 +7998,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000114-GPOS-00059 <GroupDescription></GroupDescription> - - RHEL-08-040080 + + RHEL-08-040080 RHEL 8 must be configured to disable USB mass storage. <VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. @@ -8024,15 +8029,15 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": Reboot the system for the settings to take effect. - + SRG-OS-000300-GPOS-00118 <GroupDescription></GroupDescription> - - RHEL-08-040111 + + RHEL-08-040111 RHEL 8 Bluetooth must be disabled. <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. @@ -8064,15 +8069,15 @@ Add or update the line: Reboot the system for the settings to take effect. - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040120 + + RHEL-08-040120 RHEL 8 must mount /dev/shm with the nodev option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8094,15 +8099,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040121 + + RHEL-08-040121 RHEL 8 must mount /dev/shm with the nosuid option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8122,15 +8127,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040122 + + RHEL-08-040122 RHEL 8 must mount /dev/shm with the noexec option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8152,15 +8157,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040123 + + RHEL-08-040123 RHEL 8 must mount /tmp with the nodev option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8182,15 +8187,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040124 + + RHEL-08-040124 RHEL 8 must mount /tmp with the nosuid option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8210,15 +8215,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040125 + + RHEL-08-040125 RHEL 8 must mount /tmp with the noexec option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8240,15 +8245,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040126 + + RHEL-08-040126 RHEL 8 must mount /var/log with the nodev option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8270,15 +8275,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040127 + + RHEL-08-040127 RHEL 8 must mount /var/log with the nosuid option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8300,15 +8305,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040128 + + RHEL-08-040128 RHEL 8 must mount /var/log with the noexec option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8330,15 +8335,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040129 + + RHEL-08-040129 RHEL 8 must mount /var/log/audit with the nodev option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8360,15 +8365,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040130 + + RHEL-08-040130 RHEL 8 must mount /var/log/audit with the nosuid option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8390,15 +8395,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040131 + + RHEL-08-040131 RHEL 8 must mount /var/log/audit with the noexec option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8420,15 +8425,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040132 + + RHEL-08-040132 RHEL 8 must mount /var/tmp with the nodev option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8450,15 +8455,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040133 + + RHEL-08-040133 RHEL 8 must mount /var/tmp with the nosuid option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8480,15 +8485,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - RHEL-08-040134 + + RHEL-08-040134 RHEL 8 must mount /var/tmp with the noexec option. <VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -8510,15 +8515,15 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - - RHEL-08-040160 + + RHEL-08-040160 All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -8540,15 +8545,15 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo systemctl enable sshd.service - + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - - RHEL-08-040161 + + RHEL-08-040161 RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. @@ -8576,15 +8581,15 @@ Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040172 + + RHEL-08-040172 The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -8604,15 +8609,15 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040190 + + RHEL-08-040190 The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. <VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -8628,15 +8633,15 @@ $ sudo systemctl daemon-reload $ sudo yum remove tftp-server - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040200 + + RHEL-08-040200 The root account must be the only account having unrestricted access to the RHEL 8 system. <VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -8652,15 +8657,15 @@ $ sudo yum remove tftp-server If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040210 + + RHEL-08-040210 RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -8698,15 +8703,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040220 + + RHEL-08-040220 RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. @@ -8746,15 +8751,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040230 + + RHEL-08-040230 RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. @@ -8793,15 +8798,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040240 + + RHEL-08-040240 RHEL 8 must not forward IPv6 source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -8839,15 +8844,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040250 + + RHEL-08-040250 RHEL 8 must not forward IPv6 source-routed packets by default. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -8885,15 +8890,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040260 + + RHEL-08-040260 RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -8931,15 +8936,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040261 + + RHEL-08-040261 RHEL 8 must not accept router advertisements on all IPv6 interfaces. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -8979,15 +8984,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040262 + + RHEL-08-040262 RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -9027,15 +9032,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040270 + + RHEL-08-040270 RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. @@ -9075,15 +9080,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040280 + + RHEL-08-040280 RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -9121,15 +9126,15 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040281 + + RHEL-08-040281 RHEL 8 must disable access to network bpf syscall from unprivileged processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9165,15 +9170,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040282 + + RHEL-08-040282 RHEL 8 must restrict usage of ptrace to descendant processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9209,15 +9214,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040283 + + RHEL-08-040283 RHEL 8 must restrict exposed kernel pointer addresses access. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9253,15 +9258,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040284 + + RHEL-08-040284 RHEL 8 must disable the use of user namespaces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9299,15 +9304,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040285 + + RHEL-08-040285 RHEL 8 must use reverse path filtering on all IPv4 interfaces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9343,15 +9348,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040290 + + RHEL-08-040290 RHEL 8 must be configured to prevent unrestricted mail relaying. <VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9367,15 +9372,15 @@ $ sudo sysctl --system $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040340 + + RHEL-08-040340 RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. <VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. @@ -9399,15 +9404,15 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040341 + + RHEL-08-040341 The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9425,15 +9430,15 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us X11UseLocalhost yes - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040350 + + RHEL-08-040350 If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. <VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9449,15 +9454,15 @@ X11UseLocalhost yes server_args = -s /var/lib/tftpboot - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040360 + + RHEL-08-040360 A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. <VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9473,15 +9478,15 @@ server_args = -s /var/lib/tftpboot $ sudo yum remove vsftpd - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040370 + + RHEL-08-040370 The gssproxy package must not be installed unless mission essential on RHEL 8. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9501,15 +9506,15 @@ The gssproxy package is a proxy for GSS API credential handling and could expose $ sudo yum remove gssproxy - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040380 + + RHEL-08-040380 The iprutils package must not be installed unless mission essential on RHEL 8. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9529,15 +9534,15 @@ The iprutils package provides a suite of utilities to manage and configure SCSI $ sudo yum remove iprutils - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040390 + + RHEL-08-040390 The tuned package must not be installed unless mission essential on RHEL 8. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9557,15 +9562,15 @@ The tuned package contains a daemon that tunes the system settings dynamically. $ sudo yum remove tuned - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - RHEL-08-010163 + + RHEL-08-010163 The krb5-server package must not be installed on RHEL 8. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9587,15 +9592,15 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-server - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010382 + + RHEL-08-010382 RHEL 8 must restrict privilege elevation to authorized personnel. <VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9611,15 +9616,15 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010383 + + RHEL-08-010383 RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9641,15 +9646,15 @@ Remove any configurations that conflict with the above from the following locati /etc/sudoers.d/ - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - - RHEL-08-010384 + + RHEL-08-010384 RHEL 8 must require re-authentication when using the "sudo" command. <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -9675,15 +9680,15 @@ Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files. - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - RHEL-08-010159 + + RHEL-08-010159 The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -9705,15 +9710,15 @@ Edit/modify the following line in the "/etc/pam.d/system-auth" file to include t password sufficient pam_unix.so sha512 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020331 + + RHEL-08-020331 RHEL 8 must not allow blank or null passwords in the system-auth file. <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9729,15 +9734,15 @@ password sufficient pam_unix.so sha512 Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020332 + + RHEL-08-020332 RHEL 8 must not allow blank or null passwords in the password-auth file. <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9753,15 +9758,15 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-040286 + + RHEL-08-040286 RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9799,15 +9804,15 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-010121 + + RHEL-08-010121 The RHEL 8 operating system must not have accounts configured with blank or null passwords. <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9826,15 +9831,15 @@ Lock an account: $ sudo passwd -l [username] - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - RHEL-08-020102 + + RHEL-08-020102 RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. @@ -9859,15 +9864,15 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line password requisite pam_pwquality.so retry=3 - + SRG-OS-000163-GPOS-00072 <GroupDescription></GroupDescription> - - RHEL-08-020035 + + RHEL-08-020035 RHEL 8 must terminate idle user sessions. <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -9889,21 +9894,21 @@ The "logind" service must be restarted for the changes to take effect. To restar Note: To preserve running user programs such as tmux, uncomment and/or edit "KillUserProccesses=no" in "/etc/systemd/logind.conf". - + - + - repotool - 5.10 - 2023-12-27T16:41:10 + Security Content Tool 0.7.0 + 5.11 + 2024-06-28T03:23:21 - + The operating system must be a vendor-supported release. @@ -9912,17 +9917,17 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - - + + - + The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -9931,7 +9936,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. @@ -9940,7 +9945,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system system commands must have mode 755 or less permissive. @@ -9949,7 +9954,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. @@ -9958,17 +9963,17 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must enable the SELinux targeted policy. - + - + The operating system must use a separate file system for /var. @@ -9978,7 +9983,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must use a separate file system for /var/log. @@ -9988,7 +9993,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. @@ -9998,7 +10003,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. @@ -10008,7 +10013,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must ensure the password complexity module is enabled in the password-auth file. @@ -10017,7 +10022,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must enforce password complexity by requiring that at least one uppercase character be used. @@ -10026,7 +10031,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must enforce password complexity by requiring that at least one lower-case character be used. @@ -10035,7 +10040,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must enforce password complexity by requiring that at least one numeric character be used. @@ -10071,7 +10076,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must require the change of at least 8 characters when passwords are changed. @@ -10080,17 +10085,17 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. - - + + - + The operating system must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. @@ -10099,7 +10104,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system passwords must have a minimum of 15 characters. @@ -10108,7 +10113,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + All the operating system passwords must contain at least one special character. @@ -10117,7 +10122,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must prohibit the use of cached authentications after one day. @@ -10127,7 +10132,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must display the date and time of the last successful account logon upon logon. @@ -10137,7 +10142,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. @@ -10146,7 +10151,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must disable the asynchronous transfer mode (ATM) protocol. @@ -10156,7 +10161,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must disable the controller area network (CAN) protocol. @@ -10166,7 +10171,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must disable the stream control transmission protocol (SCTP). @@ -10176,7 +10181,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must disable the transparent inter-process communication (TIPC) protocol. @@ -10186,17 +10191,23 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must disable mounting of cramfs. - - - + + + + + + + + + - + The operating system must disable IEEE 1394 (FireWire) Support. @@ -10206,7 +10217,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system must be configured to disable USB mass storage. @@ -10216,7 +10227,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system Bluetooth must be disabled. @@ -10226,7 +10237,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The operating system pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -10235,7 +10246,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. @@ -10244,7 +10255,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The system must terminate idle user sessions. @@ -10253,7 +10264,7 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + The system is RHEL 8.3 or lower @@ -10265,7 +10276,20 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - + + + RHEL 8 is installed + + RHEL 8 + + + RHEL 8 is installed + + + + + + The RHEL 8 version is RHEL 8.2 or newer. @@ -10274,11 +10298,11 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil External definition used to determine if the RHEL 8 version is RHEL 8.2 or newer for version applicability based requirements. - - + + - + IPv6 is disabled in the kernel. @@ -10288,13 +10312,13 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil - - + + - + - + OpenSSH is installed. @@ -10303,10 +10327,27 @@ Note: To preserve running user programs such as tmux, uncomment and/or edit "Kil OpenSSH is installed - + + + + + + RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + + Red Hat Enterprise Linux 8 + + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. + + + + - + RHEL-08-010110 - RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. @@ -10322,7 +10363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - + RHEL-08-010120 - RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. @@ -10333,10 +10374,10 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - + - + RHEL-08-010130 - The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. @@ -10351,7 +10392,7 @@ Passwords need to be protected at all times, and encryption is the standard meth - + RHEL-08-010140 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. @@ -10360,14 +10401,14 @@ Passwords need to be protected at all times, and encryption is the standard meth If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - + - - + + - + RHEL-08-010150 - RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. @@ -10376,14 +10417,14 @@ Passwords need to be protected at all times, and encryption is the standard meth If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - + - - + + - + RHEL-08-010160 - RHEL 8 operating systems must require authentication upon booting into rescue mode. @@ -10395,7 +10436,7 @@ Passwords need to be protected at all times, and encryption is the standard meth - + RHEL-08-010161 - RHEL 8 must prevent system daemons from using Kerberos for authentication. @@ -10410,12 +10451,12 @@ The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring t FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - - - + + + - + RHEL-08-010162 - The krb5-workstation package must not be installed on RHEL 8. @@ -10430,12 +10471,12 @@ Currently, Kerberos does not utilize FIPS 140-2 cryptography. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - - - + + + - + RHEL-08-010171 - RHEL 8 must have the policycoreutils package installed. @@ -10446,10 +10487,10 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. - + - + RHEL-08-010210 - The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. @@ -10463,7 +10504,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010220 - The RHEL 8 /var/log/messages file must be owned by root. @@ -10477,7 +10518,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010230 - The RHEL 8 /var/log/messages file must be group-owned by root. @@ -10491,7 +10532,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010240 - The RHEL 8 /var/log directory must have mode 0755 or less permissive. @@ -10505,7 +10546,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010250 - The RHEL 8 /var/log directory must be owned by root. @@ -10519,7 +10560,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010260 - The RHEL 8 /var/log directory must be group-owned by root. @@ -10533,7 +10574,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-010292 - RHEL 8 must ensure the SSH server uses strong entropy. @@ -10549,7 +10590,7 @@ The SSH implementation in RHEL8 uses the OPENSSL library, which does not use hig - + RHEL-08-010294 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. @@ -10577,7 +10618,7 @@ RHEL 8 incorporates system-wide crypto policies by default. The employed algori - + RHEL-08-010310 - RHEL 8 system commands must be owned by root. @@ -10591,7 +10632,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a - + RHEL-08-010320 - RHEL 8 system commands must be group-owned by root or a system account. @@ -10605,7 +10646,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a - + RHEL-08-010370 - RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. @@ -10618,11 +10659,11 @@ Accordingly, patches, service packs, device drivers, or operating system compone Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - - + + - + RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution. @@ -10641,11 +10682,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. @@ -10665,11 +10706,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. @@ -10690,11 +10731,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer. @@ -10716,11 +10757,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users. @@ -10743,11 +10784,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010380 - RHEL 8 must require users to provide a password for privilege escalation. @@ -10758,11 +10799,11 @@ The sysctl --system command will load settings from all system configuration fil When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - + + - + RHEL-08-010381 - RHEL 8 must require users to reauthenticate for privilege escalation. @@ -10773,11 +10814,11 @@ When operating systems provide the capability to escalate a functional capabilit When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - - + + - + RHEL-08-010390 - RHEL 8 must have the packages required for multifactor authentication installed. @@ -10794,10 +10835,10 @@ Remote access is access to DoD nonpublic information systems by an authorized us This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). - + - + RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. @@ -10820,7 +10861,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-010440 - YUM must remove all software components after updated versions have been installed on RHEL 8. @@ -10832,7 +10873,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-010460 - There must be no shosts.equiv files on the RHEL 8 operating system. @@ -10841,10 +10882,10 @@ The sysctl --system command will load settings from all system configuration fil The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - + - + RHEL-08-010470 - There must be no .shosts files on the RHEL 8 operating system. @@ -10853,10 +10894,10 @@ The sysctl --system command will load settings from all system configuration fil The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. - + - + RHEL-08-010480 - The RHEL 8 SSH public host key files must have mode 0644 or less permissive. @@ -10865,11 +10906,11 @@ The sysctl --system command will load settings from all system configuration fil If a public host key file is modified by an unauthorized user, the SSH service may be compromised. - - + + - + RHEL-08-010490 - The RHEL 8 SSH private host key files must have mode 0640 or less permissive. @@ -10882,7 +10923,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-010500 - The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. @@ -10891,11 +10932,11 @@ The sysctl --system command will load settings from all system configuration fil If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user. - - + + - + RHEL-08-010520 - The RHEL 8 SSH daemon must not allow authentication using known hosts authentication. @@ -10904,11 +10945,11 @@ The sysctl --system command will load settings from all system configuration fil Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. - - + + - + RHEL-08-010521 - The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. @@ -10916,12 +10957,12 @@ The sysctl --system command will load settings from all system configuration fil Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use Kerberos authentication, even in the event of misconfiguration elsewhere. - - - + + + - + RHEL-08-010542 - RHEL 8 must use a separate file system for the system audit data path. @@ -10930,11 +10971,11 @@ The sysctl --system command will load settings from all system configuration fil The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - - + + - + RHEL-08-010543 - A separate RHEL 8 filesystem must be used for the /tmp directory. @@ -10943,11 +10984,11 @@ The sysctl --system command will load settings from all system configuration fil The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - - + + - + RHEL-08-010550 - RHEL 8 must not permit direct logons to the root account using remote access via SSH. @@ -10956,11 +10997,11 @@ The sysctl --system command will load settings from all system configuration fil Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system. - - + + - + RHEL-08-010560 - The auditd service must be running in RHEL 8. @@ -10972,10 +11013,10 @@ Configuration settings are the set of parameters that can be changed in hardware - + - + RHEL-08-010561 - The rsyslog service must be running in RHEL 8. @@ -10990,7 +11031,7 @@ Configuration settings are the set of parameters that can be changed in hardware - + RHEL-08-010571 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. @@ -10999,14 +11040,14 @@ Configuration settings are the set of parameters that can be changed in hardware The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - + - + RHEL-08-010580 - RHEL 8 must prevent special devices on non-root local partitions. @@ -11019,7 +11060,7 @@ Configuration settings are the set of parameters that can be changed in hardware - + RHEL-08-010630 - RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). @@ -11028,11 +11069,11 @@ Configuration settings are the set of parameters that can be changed in hardware The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - - + + - + RHEL-08-010640 - RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). @@ -11045,7 +11086,7 @@ Configuration settings are the set of parameters that can be changed in hardware - + RHEL-08-010650 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). @@ -11054,11 +11095,11 @@ Configuration settings are the set of parameters that can be changed in hardware The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - - + + - + RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern. @@ -11075,11 +11116,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-010673 - RHEL 8 must disable core dumps for all users. @@ -11094,7 +11135,7 @@ A core dump includes a memory image taken at the time the operating system termi - + RHEL-08-010674 - RHEL 8 must disable storing core dumps. @@ -11108,7 +11149,7 @@ A core dump includes a memory image taken at the time the operating system termi - + RHEL-08-010675 - RHEL 8 must disable core dump backtraces. @@ -11122,7 +11163,7 @@ A core dump includes a memory image taken at the time the operating system termi - + RHEL-08-010760 - All RHEL 8 local interactive user accounts must be assigned a home directory upon creation @@ -11134,7 +11175,7 @@ A core dump includes a memory image taken at the time the operating system termi - + RHEL-08-010830 - RHEL 8 must not allow users to override SSH environment variables. @@ -11142,12 +11183,12 @@ A core dump includes a memory image taken at the time the operating system termi SSH environment options potentially allow users to bypass access restriction in some configurations. - - - + + + - + RHEL-08-020010 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. @@ -11160,18 +11201,18 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - - - - - + + + + + + - + RHEL-08-020011 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. @@ -11182,11 +11223,11 @@ From "Pam_Faillock" man pages: Note that the default directory that "pam_failloc From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020012 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11199,14 +11240,14 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - + + - + RHEL-08-020013 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11219,11 +11260,11 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020014 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11236,16 +11277,16 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - - - + + + + - + RHEL-08-020015 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11258,11 +11299,11 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020018 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. @@ -11275,14 +11316,14 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - + + - + RHEL-08-020019 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. @@ -11295,11 +11336,11 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020020 - RHEL 8 must log user name information when unsuccessful logon attempts occur. @@ -11312,14 +11353,14 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - + + - + RHEL-08-020021 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. @@ -11332,11 +11373,11 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020022 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11349,14 +11390,14 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - + - - + + - + RHEL-08-020023 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. @@ -11369,11 +11410,11 @@ In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centraliz From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. - - + + - + RHEL-08-020042 - RHEL 8 must prevent users from disabling session control mechanisms. @@ -11389,7 +11430,7 @@ Tmux is a terminal multiplexer that enables a number of terminals to be created, - + RHEL-08-020180 - RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. @@ -11398,11 +11439,11 @@ Tmux is a terminal multiplexer that enables a number of terminals to be created, Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. - - + + - + RHEL-08-020190 - RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def. @@ -11414,7 +11455,7 @@ Tmux is a terminal multiplexer that enables a number of terminals to be created, - + RHEL-08-020200 - RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. @@ -11426,7 +11467,7 @@ Tmux is a terminal multiplexer that enables a number of terminals to be created, - + RHEL-08-020231 - RHEL 8 passwords for new users must have a minimum of 15 characters. @@ -11442,7 +11483,7 @@ The DoD minimum password requirement is 15 characters. - + RHEL-08-020260 - RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. @@ -11456,7 +11497,7 @@ RHEL 8 needs to track periods of inactivity and disable application identifiers - + RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. @@ -11468,7 +11509,7 @@ RHEL 8 needs to track periods of inactivity and disable application identifiers - + RHEL-08-020310 - RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. @@ -11482,7 +11523,7 @@ Configuration settings are the set of parameters that can be changed in hardware - + RHEL-08-020330 - RHEL 8 must not have accounts configured with blank or null passwords. @@ -11491,10 +11532,10 @@ Configuration settings are the set of parameters that can be changed in hardware If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. - + - + RHEL-08-020350 - RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. @@ -11503,11 +11544,11 @@ Configuration settings are the set of parameters that can be changed in hardware Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use. - - + + - + RHEL-08-020351 - RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. @@ -11519,7 +11560,7 @@ Configuration settings are the set of parameters that can be changed in hardware - + RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. @@ -11528,14 +11569,14 @@ Configuration settings are the set of parameters that can be changed in hardware Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. - - - - - + + + + + - + RHEL-08-030020 - The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. @@ -11551,7 +11592,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i - + RHEL-08-030040 - The RHEL 8 System must take appropriate action when an audit processing failure occurs. @@ -11567,7 +11608,7 @@ This requirement applies to each audit data storage repository (i.e., distinct i - + RHEL-08-030060 - The RHEL 8 audit system must take appropriate action when the audit storage volume is full. @@ -11585,7 +11626,7 @@ When availability is an overriding concern, other approved actions in response t - + RHEL-08-030061 - The RHEL 8 audit system must audit local events. @@ -11599,7 +11640,7 @@ Audit record content that may be necessary to satisfy this requirement includes, - + RHEL-08-030062 - RHEL 8 must label all off-loaded audit logs before sending them to the central log server. @@ -11617,7 +11658,7 @@ When audit logs are not labeled before they are sent to a central log server, th - + RHEL-08-030063 - RHEL 8 must resolve audit information before writing to disk. @@ -11633,7 +11674,7 @@ Enriched logging aids in making sense of who, what, and when events occur on a s - + RHEL-08-030080 - RHEL 8 audit logs must be owned by root to prevent unauthorized read access. @@ -11647,7 +11688,7 @@ The structure and content of error messages must be carefully considered by the - + RHEL-08-030090 - RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. @@ -11661,7 +11702,7 @@ Audit information includes all information (e.g., audit records, audit settings, - + RHEL-08-030100 - RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. @@ -11675,7 +11716,7 @@ Audit information includes all information (e.g., audit records, audit settings, - + RHEL-08-030110 - RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. @@ -11689,7 +11730,7 @@ Audit information includes all information (e.g., audit records, audit settings, - + RHEL-08-030120 - RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. @@ -11703,7 +11744,7 @@ Audit information includes all information (e.g., audit records, audit settings, - + RHEL-08-030121 - RHEL 8 audit system must protect auditing rules from unauthorized change. @@ -11719,7 +11760,7 @@ In immutable mode, unauthorized users cannot execute changes to the audit system - + RHEL-08-030122 - RHEL 8 audit system must protect logon UIDs from unauthorized change. @@ -11735,7 +11776,7 @@ In immutable mode, unauthorized users cannot execute changes to the audit system - + RHEL-08-030130 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. @@ -11746,11 +11787,11 @@ In immutable mode, unauthorized users cannot execute changes to the audit system Audit records can be generated from various components within the information system (e.g., module or policy filter). - - + + - + RHEL-08-030140 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. @@ -11761,11 +11802,11 @@ Audit records can be generated from various components within the information sy Audit records can be generated from various components within the information system (e.g., module or policy filter). - - + + - + RHEL-08-030150 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. @@ -11776,11 +11817,11 @@ Audit records can be generated from various components within the information sy Audit records can be generated from various components within the information system (e.g., module or policy filter). - - + + - + RHEL-08-030160 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. @@ -11791,11 +11832,11 @@ Audit records can be generated from various components within the information sy Audit records can be generated from various components within the information system (e.g., module or policy filter). - - + + - + RHEL-08-030170 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. @@ -11806,11 +11847,11 @@ Audit records can be generated from various components within the information sy Audit records can be generated from various components within the information system (e.g., module or policy filter). - - + + - + RHEL-08-030171 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. @@ -11825,7 +11866,7 @@ Audit records can be generated from various components within the information sy - + RHEL-08-030172 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. @@ -11840,7 +11881,7 @@ Audit records can be generated from various components within the information sy - + RHEL-08-030180 - The RHEL 8 audit package must be installed. @@ -11853,10 +11894,10 @@ Audit record content that may be necessary to satisfy this requirement includes, Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. - + - + RHEL-08-030190 - Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. @@ -11869,11 +11910,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr system calls. @@ -11893,34 +11934,34 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + RHEL-08-030250 - Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record @@ -11935,11 +11976,11 @@ When a user logs on, the AUID is set to the UID of the account that is being aut Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215 - - + + - + RHEL-08-030260 - Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record @@ -11954,11 +11995,11 @@ When a user logs on, the AUID is set to the UID of the account that is being aut Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215 - - + + - + RHEL-08-030280 - Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. @@ -11971,11 +12012,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030290 - Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. @@ -11988,11 +12029,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030300 - Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. @@ -12005,11 +12046,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030301 - Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. @@ -12026,7 +12067,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030302 - Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. @@ -12039,12 +12080,12 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - + + + - + RHEL-08-030310 - Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. @@ -12061,7 +12102,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030311 - Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. @@ -12078,7 +12119,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030312 - Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. @@ -12095,7 +12136,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030313 - Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. @@ -12112,7 +12153,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030314 - Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. @@ -12129,7 +12170,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030315 - Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. @@ -12146,7 +12187,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030316 - Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. @@ -12163,7 +12204,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030317 - Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. @@ -12176,11 +12217,11 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030320 - Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. @@ -12193,11 +12234,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030330 - Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. @@ -12210,11 +12251,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030340 - Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. @@ -12231,7 +12272,7 @@ When a user logs on, the AUID is set to the UID of the account that is being aut - + RHEL-08-030350 - Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. @@ -12244,11 +12285,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030360 - Successful/unsuccessful uses of the init_module and finit_module command system calls in RHEL 8 must generate an audit record. @@ -12263,14 +12304,14 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - + + + + + - + RHEL-08-030361 - Successful/unsuccessful uses of the rename, unlink, rmdir, renameat and unlinkat commandsystem calls in RHEL 8 must generate an audit record. @@ -12301,7 +12342,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - + RHEL-08-030370 - Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. @@ -12314,11 +12355,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030390 - Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. @@ -12331,12 +12372,12 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - - + + + - + RHEL-08-030400 - Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. @@ -12349,11 +12390,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030410 - Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. @@ -12366,11 +12407,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030420 - Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record. @@ -12388,34 +12429,34 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + RHEL-08-030480 - Successful/unsuccessful uses of the chown, fchown, fchownat and lchown system calls in RHEL 8 must generate an audit record. @@ -12433,18 +12474,18 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - - - + + + + + + + + + - + RHEL-08-030490 - Successful/unsuccessful uses of the chmod, fchmod and fchmodat system calls in RHEL 8 must generate an audit record. @@ -12460,16 +12501,16 @@ When a user logs on, the AUID is set to the UID of the account that is being aut The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - - - - - - - + + + + + + + - + RHEL-08-030550 - Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. @@ -12482,11 +12523,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030560 - Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. @@ -12499,11 +12540,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030570 - Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. @@ -12516,11 +12557,11 @@ Audit records can be generated from various components within the information sy When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. - - + + - + RHEL-08-030580 - Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. @@ -12547,7 +12588,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record - + RHEL-08-030600 - Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. @@ -12570,11 +12611,11 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record 4) All kernel module load, unload, and restart actions. - - + + - + RHEL-08-030610 - RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. @@ -12587,7 +12628,7 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record - + RHEL-08-030620 - RHEL 8 audit tools must have a mode of 0755 or less permissive. @@ -12603,7 +12644,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud - + RHEL-08-030630 - RHEL 8 audit tools must be owned by root. @@ -12619,7 +12660,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud - + RHEL-08-030640 - RHEL 8 audit tools must be group-owned by root. @@ -12635,7 +12676,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud - + RHEL-08-030680 - RHEL 8 must have the packages required for encrypting offloaded audit logs installed. @@ -12655,10 +12696,10 @@ RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. - + - + RHEL-08-030700 - RHEL 8 must take appropriate action when the internal event queue is full. @@ -12674,7 +12715,7 @@ RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility p - + RHEL-08-030730 - RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. @@ -12686,7 +12727,7 @@ RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility p - + RHEL-08-030741 - RHEL 8 must disable the chrony daemon from acting as a server. @@ -12704,7 +12745,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - + RHEL-08-030742 - RHEL 8 must disable network management of the chrony daemon. @@ -12722,7 +12763,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - + RHEL-08-040000 - RHEL 8 must not have the telnet-server package installed. @@ -12741,10 +12782,10 @@ The telnet service provides an unencrypted remote access service that does not p If a privileged user were to log on using this service, the privileged user password could be compromised. - + - + RHEL-08-040001 - RHEL 8 must not have any automated bug reporting tools installed. @@ -12759,10 +12800,10 @@ Examples of non-essential capabilities include, but are not limited to, games, s Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - + - + RHEL-08-040002 - RHEL 8 must not have the sendmail package installed. @@ -12777,10 +12818,10 @@ Examples of non-essential capabilities include, but are not limited to, games, s Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. - + - + RHEL-08-040010 - RHEL 8 must not have the rsh-server package installed. @@ -12795,10 +12836,10 @@ The rsh-server service provides an unencrypted remote access service that does n If a privileged user were to log on using this service, the privileged user password could be compromised. - + - + RHEL-08-040060 - RHEL 8 must enforce SSHv2 for network access to all accounts. @@ -12815,11 +12856,11 @@ Techniques used to address this include protocols using nonces (e.g., numbers ge RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 percent SSHv2 implementation since version 7.6 in late 2017 and dropped support of SSH protocol version 1. - - + + - + RHEL-08-040120 - RHEL 8 must mount /dev/shm with the nodev option. @@ -12838,7 +12879,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040121 - RHEL 8 must mount /dev/shm with the nosuid option. @@ -12855,7 +12896,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040122 - RHEL 8 must mount /dev/shm with the noexec option. @@ -12874,7 +12915,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040123 - RHEL 8 must mount /tmp with the nodev option. @@ -12894,7 +12935,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040124 - RHEL 8 must mount /tmp with the nosuid option. @@ -12912,7 +12953,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040125 - RHEL 8 must mount /tmp with the noexec option. @@ -12932,7 +12973,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040126 - RHEL 8 must mount /var/log with the nodev option. @@ -12952,7 +12993,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040127 - RHEL 8 must mount /var/log with the nosuid option. @@ -12972,7 +13013,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040128 - RHEL 8 must mount /var/log with the noexec option. @@ -12992,7 +13033,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040129 - RHEL 8 must mount /var/log/audit with the nodev option. @@ -13012,7 +13053,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040130 - RHEL 8 must mount /var/log/audit with the nosuid option. @@ -13032,7 +13073,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040131 - RHEL 8 must mount /var/log/audit with the noexec option. @@ -13052,7 +13093,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040132 - RHEL 8 must mount /var/tmp with the nodev option. @@ -13071,7 +13112,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040133 - RHEL 8 must mount /var/tmp with the nosuid option. @@ -13090,7 +13131,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040134 - RHEL 8 must mount /var/tmp with the noexec option. @@ -13109,7 +13150,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - + RHEL-08-040160 - All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. @@ -13126,7 +13167,7 @@ Protecting the confidentiality and integrity of organizational information can b - + RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. @@ -13140,12 +13181,12 @@ Protecting the confidentiality and integrity of organizational information can b Session key regeneration limits the chances of a session key becoming compromised. - - - + + + - + RHEL-08-040172 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. @@ -13154,10 +13195,10 @@ Session key regeneration limits the chances of a session key becoming compromise A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. - + - + RHEL-08-040190 - The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. @@ -13166,10 +13207,10 @@ Session key regeneration limits the chances of a session key becoming compromise If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. - + - + RHEL-08-040200 - The root account must be the only account having unrestricted access to the RHEL 8 system. @@ -13181,7 +13222,7 @@ Session key regeneration limits the chances of a session key becoming compromise - + RHEL-08-040210 - RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. @@ -13198,14 +13239,14 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - + - - + + - + RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. @@ -13224,11 +13265,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. @@ -13247,11 +13288,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-040240 - RHEL 8 must not forward source-routed packets. @@ -13268,14 +13309,14 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - + - - + + - + RHEL-08-040250 - RHEL 8 must not forward source-routed packets by default. @@ -13292,14 +13333,14 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - + - - + + - + RHEL-08-040260 - RHEL 8 must not be performing packet forwarding unless the system is a router. @@ -13316,14 +13357,14 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - + - - + + - + RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces. @@ -13344,12 +13385,12 @@ The sysctl --system command will load settings from all system configuration fil - - + + - + RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. @@ -13370,12 +13411,12 @@ The sysctl --system command will load settings from all system configuration fil - - + + - + RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. @@ -13398,7 +13439,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. @@ -13417,12 +13458,12 @@ The sysctl --system command will load settings from all system configuration fil - - + + - + RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes. @@ -13439,11 +13480,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. @@ -13460,11 +13501,11 @@ The sysctl --system command will load settings from all system configuration fil /etc/sysctl.conf - - + + - + RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access. @@ -13485,7 +13526,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040284 - RHEL 8 must disable the use of user namespaces. @@ -13506,7 +13547,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. @@ -13527,7 +13568,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040290 - RHEL 8 must be configured to prevent unrestricted mail relaying. @@ -13540,7 +13581,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-040340 - RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. @@ -13551,11 +13592,11 @@ X11 forwarding should be enabled with caution. Users with the ability to bypass If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs. - - + + - + RHEL-08-040341 - The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. @@ -13564,11 +13605,11 @@ If X11 services are not required for the system's intended function, they should When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. - - + + - + RHEL-08-040350 - If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. @@ -13581,7 +13622,7 @@ If X11 services are not required for the system's intended function, they should - + RHEL-08-040360 - A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. @@ -13590,10 +13631,10 @@ If X11 services are not required for the system's intended function, they should The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. - + - + RHEL-08-040370 - The gssproxy package must not be installed unless mission essential on RHEL 8. @@ -13606,10 +13647,10 @@ Operating systems are capable of providing a wide variety of functions and servi The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. - + - + RHEL-08-040380 - The iprutils package must not be installed unless mission essential on RHEL 8. @@ -13622,10 +13663,10 @@ Operating systems are capable of providing a wide variety of functions and servi The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. - + - + RHEL-08-040390 - The tuned package must not be installed unless mission essential on RHEL 8. @@ -13638,10 +13679,10 @@ Operating systems are capable of providing a wide variety of functions and servi The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. - + - + RHEL-08-030670 - RHEL 8 must have the packages required for offloading audit logs installed. @@ -13661,10 +13702,10 @@ RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. - + - + RHEL-08-010163 - The krb5-server package must not be installed on RHEL 8. @@ -13679,11 +13720,11 @@ Currently, Kerberos does not utilize FIPS 140-2 cryptography. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. - - + + - + RHEL-08-010382 - RHEL 8 must restrict privilege elevation to authorized personnel. @@ -13692,11 +13733,11 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. - - + + - + RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". @@ -13707,20 +13748,20 @@ For more information on each of the listed configurations, reference the sudoers - - + + - - + + - - + + - + RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. @@ -13736,7 +13777,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + RHEL-08-020331 - RHEL 8 must not allow blank or null passwords in the system-auth file. @@ -13748,7 +13789,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + RHEL-08-020332 - RHEL 8 must not allow blank or null passwords in the password-auth file. @@ -13760,7 +13801,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. @@ -13783,7 +13824,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-010121 - The RHEL 8 operating system must not have accounts configured with blank or null passwords. @@ -13795,7 +13836,7 @@ The sysctl --system command will load settings from all system configuration fil - + RHEL-08-010000 - RHEL 8 must be a vendor-supported release. @@ -13810,7 +13851,7 @@ Note: The life-cycle time spans and dates are subject to adjustment. - + RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. @@ -13828,7 +13869,7 @@ Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPO - + RHEL-08-010160 - The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -13844,7 +13885,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - + RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. @@ -13862,7 +13903,7 @@ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPO - + RHEL-08-010300 - RHEL 8 system commands must have mode 755 or less permissive. @@ -13876,7 +13917,7 @@ This requirement applies to RHEL 8 with software libraries that are accessible a - + RHEL-08-010371 - RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. @@ -13892,7 +13933,7 @@ Verifying the authenticity of the software prior to installation validates the i - + RHEL-08-010450 - RHEL 8 must enable the SELinux targeted policy. @@ -13906,7 +13947,7 @@ This requirement applies to operating systems performing security function verif - + RHEL-08-010540 - RHEL 8 must use a separate file system for /var. @@ -13918,7 +13959,7 @@ This requirement applies to operating systems performing security function verif - + RHEL-08-010541 - RHEL 8 must use a separate file system for /var/log. @@ -13930,7 +13971,7 @@ This requirement applies to operating systems performing security function verif - + RHEL-08-020024 - RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. @@ -13944,7 +13985,7 @@ This requirement addresses concurrent sessions for information system accounts a - + RHEL-08-020040 - RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. @@ -13962,7 +14003,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 - + RHEL-08-020100 - RHEL 8 must ensure the password complexity module is enabled in the password-auth file. @@ -13978,7 +14019,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This - + RHEL-08-020110 - RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. @@ -13994,7 +14035,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - + RHEL-08-020120 - RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. @@ -14010,7 +14051,7 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - + RHEL-08-020130 - RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. @@ -14026,7 +14067,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - + RHEL-08-020140 - RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. @@ -14042,7 +14083,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - + RHEL-08-020150 - RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. @@ -14058,7 +14099,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - + RHEL-08-020160 - RHEL 8 must require the change of at least four character classes when passwords are changed. @@ -14074,7 +14115,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - + RHEL-08-020170 - RHEL 8 must require the change of at least 8 characters when passwords are changed. @@ -14090,7 +14131,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - + RHEL-08-020210 - RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. @@ -14102,7 +14143,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - + RHEL-08-020220 - RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. @@ -14120,7 +14161,7 @@ Note that manual changes to the listed files may be overwritten by the "authsele - + RHEL-08-020230 - RHEL 8 passwords must have a minimum of 15 characters. @@ -14140,7 +14181,7 @@ The DoD minimum password requirement is 15 characters. - + RHEL-08-020280 - All RHEL 8 passwords must contain at least one special character. @@ -14156,7 +14197,7 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - + RHEL-08-020290 - RHEL 8 must prohibit the use of cached authentications after one day. @@ -14170,7 +14211,7 @@ RHEL 8 includes multiple options for configuring authentication, but this requir - + RHEL-08-020340 - RHEL 8 must display the date and time of the last successful account logon upon logon. @@ -14182,7 +14223,7 @@ RHEL 8 includes multiple options for configuring authentication, but this requir - + RHEL-08-030070 - RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. @@ -14198,7 +14239,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - + RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. @@ -14214,7 +14255,7 @@ The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data li - + RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. @@ -14230,7 +14271,7 @@ The Controller Area Network (CAN) is a serial communications protocol, which was - + RHEL-08-040023 - RHEL 8 must disable the stream control transmission protocol (SCTP). @@ -14246,7 +14287,7 @@ The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, d - + RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. @@ -14262,7 +14303,7 @@ The Transparent Inter-Process Communication (TIPC) protocol is designed to provi - + RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. @@ -14278,7 +14319,7 @@ Compressed ROM/RAM file system (or cramfs) is a read-only file system designed f - + RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. @@ -14292,7 +14333,7 @@ The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time commu - + RHEL-08-040080 - RHEL 8 must be configured to disable USB mass storage. @@ -14306,7 +14347,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163 - + RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. @@ -14322,7 +14363,7 @@ Protecting the confidentiality and integrity of communications with wireless per - + RHEL-08-010159 - The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. @@ -14338,7 +14379,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - + RHEL-08-020102 - RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. @@ -14356,7 +14397,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + RHEL-08-020035 - RHEL 8 must terminate idle user sessions. @@ -14370,68 +14411,66 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -14449,1444 +14488,1462 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - + - + + + + + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -15903,12 +15960,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*PRETTY_NAME="Red Hat Enterprise Linux 8\.(\d+)\b 1 - + /proc/sys/crypto/fips_enabled ^(\d+)$ 1 - + /boot/grub2/grubenv ^\s*kernelopts=[^#]*fips=(\d+)\b 1 @@ -15944,35 +16001,35 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^[^# \t]+\s+/var/log\s+ 1 - + oval:mil.disa.stig.ind:obj:23034601 oval:mil.disa.stig.ind:obj:23034602 - + /etc/security/limits.conf ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ 1 - + /etc/security/limits.d .*\.conf$ ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ 1 - + oval:mil.disa.stig.ind:obj:23034604 oval:mil.disa.stig.ind:obj:23034605 - + /etc/security/limits.conf ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ 1 - + /etc/security/limits.d .*\.conf$ ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ @@ -16172,7 +16229,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi 1 - + /etc/sssd/conf.d ^.+\.conf$ ^\s*cache_credentials\s*=\s*true\b$ @@ -16267,6 +16324,16 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^[ \t]*blacklist[ \t]+cramfs[ \t]*$ 1 + + /etc/modprobe.conf + ^[ \t]*install[ \t]+cramfs[ \t]+/bin/false[ \t]*$ + 1 + + + /etc/modprobe.conf + ^[ \t]*blacklist[ \t]+cramfs[ \t]*$ + 1 + /etc/modprobe.d .* @@ -16314,9 +16381,8 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$) 1 - - /etc/systemd - logind.conf + + /etc/systemd/logind.conf ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 @@ -16332,32 +16398,38 @@ By limiting the number of attempts to meet the pwquality module complexity requi /var/log + + /etc + os-release + ^\s*CPE_NAME="cpe:/o:redhat:enterprise_linux:(\d+)\b + 1 + net.ipv6.conf.all.disable_ipv6 - + /etc/sysctl.conf (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:9801 oval:mil.disa.stig.rhel8:obj:9802 - + /proc/cmdline \bipv6\.disable=1\b 1 - + openssh @@ -16372,17 +16444,27 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*PRETTY_NAME="Red Hat Enterprise Linux 8\.(\d+)\b 1 - + + /proc/sys/crypto/fips_enabled + ^(\d+)$ + 1 + + + /boot/grub2/grubenv + ^\s*kernelopts=[^#]*fips=(\d+)\b + 1 + + /etc/login.defs ^\s*ENCRYPT_METHOD\s+([^#\r\n]*) 1 - + /etc/shadow ^[^:]+:([^:]*): 1 - + oval:mil.disa.stig.rhel8:obj:10400 oval:mil.disa.stig.rhel8:ste:10400 @@ -16399,30 +16481,30 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b 1 - + /boot/efi/EFI/redhat/grub.cfg ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ 1 - + /boot/efi/EFI/redhat/user.cfg ^\s*GRUB2_PASSWORD=(\S+)\b 1 - + /boot/efi/EFI/redhat/grub.cfg - + /boot/grub2/grub.cfg ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ 1 - + /boot/grub2/user.cfg ^\s*GRUB2_PASSWORD=(\S+)\b 1 - + /boot/grub2/grub.cfg @@ -16431,11 +16513,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*ExecStart=-\/usr\/lib\/systemd\/systemd-sulogin-shell\srescue$ 1 - + /etc \.keytab$ - + krb5-server @@ -16447,7 +16529,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi /var/log/messages - + /var/log @@ -16474,11 +16556,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*DTLS\.MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$ 1 - + .* - + oval:mil.disa.stig.rhel8:obj:12400 oval:mil.disa.stig.rhel8:ste:12400 @@ -16493,19 +16575,19 @@ By limiting the number of attempts to meet the pwquality module complexity requi kernel.kexec_load_disabled - + /etc/sysctl.d \.conf$ (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:13201 oval:mil.disa.stig.rhel8:obj:13202 @@ -16514,18 +16596,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi fs.protected_symlinks - + \.conf$ (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:13301 oval:mil.disa.stig.rhel8:obj:13302 @@ -16534,18 +16616,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi fs.protected_hardlinks - + \.conf$ (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:13401 oval:mil.disa.stig.rhel8:obj:13402 @@ -16554,18 +16636,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi kernel.dmesg_restrict - + \.conf$ (?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:13501 oval:mil.disa.stig.rhel8:obj:13502 @@ -16574,18 +16656,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi kernel.perf_event_paranoid - + \.conf$ (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:13601 oval:mil.disa.stig.rhel8:obj:13602 @@ -16644,21 +16726,21 @@ By limiting the number of attempts to meet the pwquality module complexity requi 1 - + / shosts.equiv - + / .shosts - - + + /etc/ssh ^.*\.pub$ - + /etc/ssh ^ssh_host.*key$ @@ -16672,10 +16754,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*(?i)IgnoreUserKnownHosts(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$ 1 - + /etc/ssh/sshd_config ^\s*(?i)KerberosAuthentication(?-i)\s+(\w+)\s*(?:|(?:#.*))?$ - 1 + 1 /var/log @@ -16754,18 +16836,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi kernel.core_pattern - + /etc/sysctl.conf (?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+) 1 - + \.conf$ (?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+) 1 - + oval:mil.disa.stig.rhel8:obj:16801 oval:mil.disa.stig.rhel8:obj:16802 @@ -16815,136 +16897,136 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*ProcessSizeMax\s*=\s*(\w*)\s*(?:#.*)?$ 1 - + /etc/login.defs ^\s*CREATE_HOME\s+([^#\s]+) 1 - + /etc/ssh/sshd_config ^\s*(?i)PermitUserEnvironment(?-i)\s+(\w+)\s*(?:|(?:#.*))?$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+authfail(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+authfail(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+deny=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+deny=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/system-auth - ^\s*account\s+required\s+pam_faillock\.so\s*$ - 1 - - - /etc/pam.d/password-auth - ^\s*account\s+required\s+pam_faillock\.so\s*$ - 1 - - - /etc/security/faillock.conf - ^\s*deny\s*=\s*([\d]+)\s*$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+fail_interval=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+fail_interval=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/security/faillock.conf - ^\s*fail_interval\s*=\s*([\d]+)\s*$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+authfail.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+authfail.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ - 1 - - - /etc/security/faillock.conf - ^\s*unlock_time\s*=\s*([\d]+)\s*$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+silent(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+silent(?:[ \t]+.*)?$ - 1 - - - /etc/security/faillock.conf - ^\s*silent\s*$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+audit(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+audit(?:[ \t]+.*)?$ - 1 - - - /etc/security/faillock.conf - ^\s*audit\s*$ - 1 - - - /etc/pam.d/system-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+even_deny_root(?:[ \t]+.*)?$ - 1 - - - /etc/pam.d/password-auth - ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+even_deny_root(?:[ \t]+.*)?$ - 1 - - - /etc/security/faillock.conf - ^\s*even_deny_root\s*$ - 1 - + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+authfail(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+authfail(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+deny=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+deny=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/system-auth + ^\s*account\s+required\s+pam_faillock\.so\s*$ + 1 + + + /etc/pam.d/password-auth + ^\s*account\s+required\s+pam_faillock\.so\s*$ + 1 + + + /etc/security/faillock.conf + ^\s*deny\s*=\s*([\d]+)\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+fail_interval=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+fail_interval=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/security/faillock.conf + ^\s*fail_interval\s*=\s*([\d]+)\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+authfail.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+authfail.*[ \t]+unlock_time=([0-9]+)(?:[ \t]+.*)?$ + 1 + + + /etc/security/faillock.conf + ^\s*unlock_time\s*=\s*([\d]+)\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+silent(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+silent(?:[ \t]+.*)?$ + 1 + + + /etc/security/faillock.conf + ^\s*silent\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+audit(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+audit(?:[ \t]+.*)?$ + 1 + + + /etc/security/faillock.conf + ^\s*audit\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+even_deny_root(?:[ \t]+.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*[ \t]+even_deny_root(?:[ \t]+.*)?$ + 1 + + + /etc/security/faillock.conf + ^\s*even_deny_root\s*$ + 1 + /etc/shells @@ -16956,8 +17038,8 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^root:[^:]*:[^:]*:0*: 1 - - + + oval:mil.disa.stig.rhel8:ste:20400 oval:mil.disa.stig.rhel8:ste:20401 @@ -16971,12 +17053,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^nobody:[^:]*:([0-9]+): 1 - + /etc/login.defs ^\s*PASS_MIN_DAYS\s+(\d*) 1 - + /etc/login.defs ^\s*PASS_MAX_DAYS\s+(\d*) 1 @@ -17004,7 +17086,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ 1 - + oval:mil.disa.stig.rhel8:obj:21400 oval:mil.disa.stig.rhel8:obj:21401 @@ -17015,7 +17097,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*FAIL_DELAY\s+(\d+)\s*$ 1 - + /etc/ssh/sshd_config ^\s*(?i)PermitEmptyPasswords(?-i)\s+yes\s*$ 1 @@ -17025,27 +17107,27 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$ 1 - + /etc/login.defs ^\s*UMASK\s+([^#\s]+) 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+uid!=euid\s+-F\s+euid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+execve\s+-C\s+gid!=egid\s+-F\s+egid=0\s*((\s+-k\s+|-F\s+key=)\S+\s*)?$ 1 @@ -17080,7 +17162,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi (?i)^\s*log_format\s*=\s*(\w+)\s*(?:#.*)?$ 1 - + @@ -17088,7 +17170,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$ 1 - + @@ -17146,102 +17228,102 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lremovexattr\s+|(\s+|,)lremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+removexattr\s+|(\s+|,)removexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+removexattr\s+|(\s+|,)removexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+removexattr\s+|(\s+|,)removexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+removexattr\s+|(\s+|,)removexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lsetxattr\s+|(\s+|,)lsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lsetxattr\s+|(\s+|,)lsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lsetxattr\s+|(\s+|,)lsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lsetxattr\s+|(\s+|,)lsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fsetxattr\s+|(\s+|,)fsetxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fremovexattr\s+|(\s+|,)fremovexattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 @@ -17256,22 +17338,22 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/chcon\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+setxattr\s+|(\s+|,)setxattr(\s+|,))).*-F\s+auid=0(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 @@ -17296,12 +17378,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/umount\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+mount\s+|(\s+|,)mount(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+mount\s+|(\s+|,)mount(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 @@ -17366,62 +17448,62 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/newgrp\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+init_module\s+|(\s+|,)init_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+renameat\s+|(\s+|,)renameat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlink\s+|(\s+|,)unlink(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+unlinkat\s+|(\s+|,)unlinkat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 @@ -17431,22 +17513,22 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/gpasswd\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+finit_module\s+|(\s+|,)finit_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+delete_module\s+|(\s+|,)delete_module(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 @@ -17461,192 +17543,192 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/usr/bin/chsh\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+truncate\s+|(\s+|,)truncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+openat\s+|(\s+|,)openat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open\s+|(\s+|,)open(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+open_by_handle_at\s+|(\s+|,)open_by_handle_at(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+ftruncate\s+|(\s+|,)ftruncate(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+creat\s+|(\s+|,)creat(\s+|,))).*-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chown\s+|(\s+|,)chown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+chmod\s+|(\s+|,)chmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+lchown\s+|(\s+|,)lchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchownat\s+|(\s+|,)fchownat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchown\s+|(\s+|,)fchown(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmodat\s+|(\s+|,)fchmodat(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 - + /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+fchmod\s+|(\s+|,)fchmod(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 @@ -17683,7 +17765,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi /etc/audit/rules.d .rules$ - + @@ -17721,7 +17803,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi rsh-server - + ^/usr/sbin/sshd\b 1 @@ -17771,12 +17853,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi openssh-server - + /etc/ssh/sshd_config ^\s*(?i)RekeyLimit\s+(?:\d+[kmg]?)\s+(?:\d+[smdhw]?)+(?-i)\s* - 1 + 1 - + /etc/systemd/system.conf ^\s*CtrlAltDelBurstAction\s*=\s*(\S+)\s*$ 1 @@ -17790,18 +17872,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.default.accept_redirects - + /etc/sysctl.conf (?:^|.*\n)\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$ 1 - + ^.*\.conf$ (?:^|.*\n)\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:34805 oval:mil.disa.stig.rhel8:obj:34806 @@ -17810,18 +17892,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv4.conf.all.send_redirects - + /etc/sysctl.conf (?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$ 1 - + ^.*\.conf$ (?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:34901 oval:mil.disa.stig.rhel8:obj:34902 @@ -17830,30 +17912,30 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv4.icmp_echo_ignore_broadcasts - + /etc/sysctl.conf (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ 1 - + ^.*\.conf$ (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35001 oval:mil.disa.stig.rhel8:obj:35002 - + \.conf$ (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35101 oval:mil.disa.stig.rhel8:obj:35105 @@ -17862,17 +17944,17 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.all.accept_source_route - + /etc/sysctl.conf (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35202 oval:mil.disa.stig.rhel8:obj:35205 @@ -17881,19 +17963,19 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.default.accept_source_route - + \.conf$ (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35301 oval:mil.disa.stig.rhel8:obj:35305 @@ -17902,7 +17984,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.all.forwarding - + /etc/sysctl.conf (?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ 1 @@ -17910,18 +17992,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.all.accept_ra - + /etc/sysctl.conf (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35401 oval:mil.disa.stig.rhel8:obj:35402 @@ -17930,18 +18012,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.default.accept_ra - + \.conf$ (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35501 oval:mil.disa.stig.rhel8:obj:35502 @@ -17970,18 +18052,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi net.ipv6.conf.all.accept_redirects - + \.conf (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ 1 - + /etc/sysctl.conf (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35701 oval:mil.disa.stig.rhel8:obj:35702 @@ -17995,13 +18077,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35801 oval:mil.disa.stig.rhel8:obj:35802 @@ -18015,13 +18097,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ 1 - + \.conf$ (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ 1 - + oval:mil.disa.stig.rhel8:obj:35901 oval:mil.disa.stig.rhel8:obj:35902 @@ -18101,7 +18183,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^\s*X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$ 1 - + /etc/ssh/sshd_config ^\s*(?i)X11UseLocalhost(?-i)\s+"?(\S+?)"?\s*(?:#.*|$) 1 @@ -18224,11 +18306,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^[^:]+::[^:]*:[^:]*: 1 - + .* - + oval:mil.disa.stig.unix:obj:20000008 oval:mil.disa.stig.unix:ste:20000002 @@ -18237,16 +18319,16 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + .+ oval:mil.disa.stig.unix:ste:23036702 - - .* + + .* oval:mil.disa.stig.unix:ste:23036704 oval:mil.disa.stig.unix:ste:23036703 - + root @@ -18254,15 +18336,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi 1 - - 6 - 8 - - 9 - 10 @@ -18311,7 +18387,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi selinuxfs - + + 8 + + 2 @@ -18320,38 +18399,41 @@ By limiting the number of attempts to meet the pwquality module complexity requi 1 + + 1 + SHA512 - + ^[!*] - + ^[$][6] 5000 - + ^\S+$ - + ^grub.pbkdf2.sha512 - + ^\S+$ - + ^grub.pbkdf2.sha512 - + 18 1.17 - + 1.17 - + false false false @@ -18362,13 +18444,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi false false - - 0 + + 0 - + 0 - + false false false @@ -18390,16 +18472,16 @@ By limiting the number of attempts to meet the pwquality module complexity requi DTLSv1.3 - - symbolic link + + symbolic link - + 1000 - + \n\s*gpgcheck\s*=\s*(True|1|yes)\s*(\n|$) - + \n\s*gpgcheck\s*=\s*(False|0|no)\s*(\n|$) @@ -18438,7 +18520,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi 2 - + false false false @@ -18454,7 +18536,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi ^(yes|"yes")$ - + no @@ -18487,55 +18569,55 @@ By limiting the number of attempts to meet the pwquality module complexity requi yes - + no - + 3 - + 2 - + 0 - + 3 - + 2 - + + 0 + + + 900 + + 0 - - 900 - - - 0 - 900 - + 2 - - 0 - - + + 0 + + 0 - + 2 - + 2 - + 2 - + 2 @@ -18598,13 +18680,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi (?i)^enriched$ - + 0 - + 0 - + false false false @@ -18618,7 +18700,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi 25% - + 0:7.6p1-0 @@ -18648,7 +18730,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi (?:^noexec$|^noexec,|,noexec$|,noexec,) - + ^(?i)\s*RekeyLimit\s+[1-9][0-9]*[kmg]?\s+([1-9][0-9]*[smhdw]?)+\s*$ @@ -18756,14 +18838,14 @@ By limiting the number of attempts to meet the pwquality module complexity requi 0 - - symbolic link + + symbolic link false false - + false false false @@ -18775,24 +18857,24 @@ By limiting the number of attempts to meet the pwquality module complexity requi false false - + 0 - + 60 - + - + 1000 - + /bin /sbin /usr/bin @@ -18800,13 +18882,14 @@ By limiting the number of attempts to meet the pwquality module complexity requi /usr/local/bin /usr/local/sbin - + - + ^ - + + $ @@ -18815,7 +18898,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi 4294967294 4294967295 - + /bin /sbin /usr/bin @@ -18823,14 +18906,14 @@ By limiting the number of attempts to meet the pwquality module complexity requi /usr/local/bin /usr/local/sbin - + /etc/sysctl.d /run/sysctl.d /lib/sysctl.d /usr/lib/sysctl.d /usr/local/lib/sysctl.d - + /etc/sysctl.d /run/sysctl.d /lib/sysctl.d @@ -18848,15 +18931,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + - - + + - + - + /sbin/auditctl /sbin/aureport /sbin/ausearch @@ -18865,29 +18948,29 @@ By limiting the number of attempts to meet the pwquality module complexity requi /sbin/rsyslogd /sbin/augenrules - + - + - + - + /etc/sysctl.d /run/sysctl.d /usr/local/lib/sysctl.d /usr/lib/sysctl.d /lib/sysctl.d - + /etc/sysctl.d /run/sysctl.d /usr/local/lib/sysctl.d @@ -18897,21 +18980,21 @@ By limiting the number of attempts to meet the pwquality module complexity requi - + - repotool - 5.10 - 2023-12-27T16:41:10 + Security Content Tool 0.7.0 + 5.11 + 2024-06-28T03:23:21 - + RHEL 8 is installed Red Hat Enterprise Linux 8 - + RHEL 8 is installed @@ -18920,7 +19003,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi - +