Definition of Security Requirements Guide - General Purpose Operating System for ol9

Variables: Variables

Description: None

• high
• medium
• low

Automated: no

• login_banner_text = dod_banners
• sshd_approved_ciphers = stig_extended
• sshd_approved_macs = stig_extended
• sshd_idle_timeout_value = 10_minutes
• var_account_disable_post_pw_expiration = 35
• var_accounts_authorized_local_users_regex = rhel8
• var_auditd_name_format = stig
• var_authselect_profile = sssd
• var_password_hashing_algorithm = SHA512
• var_password_pam_dictcheck = 1
• var_sshd_disable_compression = no

SRG-OS-000113-GPOS-00058: Oracle Linux 9 must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000079-GPOS-00047: Oracle Linux 9 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Description: Oracle Linux 9 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

• medium

Automated: no

No rules selected

SRG-OS-000038-GPOS-00016: Oracle Linux 9 must produce audit records containing information to establish when (date and time) the events occurred.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000326-GPOS-00126: Oracle Linux 9 must prevent all software from executing at higher privilege levels than users executing the software.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

SRG-OS-000042-GPOS-00020: Oracle Linux 9 must generate audit records containing the full-text recording of privileged commands.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_pt_chown: Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

SRG-OS-000070-GPOS-00038: Oracle Linux 9 must enforce password complexity by requiring that at least one lower-case character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• var_password_pam_lcredit = 1

SRG-OS-000356-GPOS-00144: Oracle Linux 9 must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• var_time_service_set_maxpoll = 18_hours

SRG-OS-000480-GPOS-00229: Oracle Linux 9 must not allow an unattended or automatic logon to the system.

Description: None

• high

Automated: yes

• disable_host_auth: Disable Host-Based Authentication
• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

SRG-OS-000426-GPOS-00190: Oracle Linux 9 must maintain the confidentiality and integrity of information during reception.

Description: None

• medium

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy
• package_openssh-server_installed: Install the OpenSSH Server Package
• service_sshd_enabled: Enable the OpenSSH Service

SRG-OS-000373-GPOS-00157: Oracle Linux 9 must require users to re-authenticate when changing roles.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

SRG-OS-000125-GPOS-00065: Oracle Linux 9 must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

Description: None

• high

Automated: yes

• sshd_enable_pam: Enable PAM
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1

SRG-OS-000185-GPOS-00079: Oracle Linux 9 must protect the confidentiality and integrity of all information at rest.

Description: None

• medium

Automated: yes

• encrypt_partitions: Encrypt Partitions

SRG-OS-000259-GPOS-00100: Oracle Linux 9 must limit privileges to change software resident within software libraries.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership
• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership
• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions
• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account
• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership
• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership
• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions
• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions
• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

SRG-OS-000424-GPOS-00188: Oracle Linux 9 must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

Description: None

• high

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package
• service_sshd_enabled: Enable the OpenSSH Service
• ssh_client_rekey_limit: Configure session renegotiation for SSH client
• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SRG-OS-000324-GPOS-00125: Oracle Linux 9 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action
• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation
• no_tmux_in_shells: Prevent user from disabling the screen lock
• package_sudo_installed: Install sudo Package
• service_debug-shell_disabled: Disable debug-shell SystemD Service
• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

SRG-OS-000312-GPOS-00123: Oracle Linux 9 must allow operating system admins to grant their privileges to other operating system admins.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks
• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

SRG-OS-000423-GPOS-00187: Oracle Linux 9 must protect the confidentiality and integrity of transmitted information.

Description: None

• high

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy
• package_openssh-server_installed: Install the OpenSSH Server Package
• service_sshd_enabled: Enable the OpenSSH Service
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1

SRG-OS-000355-GPOS-00143: Oracle Linux 9 must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_server_directive: Ensure Chrony is only configured with the server directive
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• package_chrony_installed: The Chrony package is installed
• service_chronyd_enabled: The Chronyd service is enabled
• var_multiple_time_servers = stig

SRG-OS-000134-GPOS-00068: Oracle Linux 9 must isolate security functions from nonsecurity functions.

Description: None

• medium

Automated: yes

• grub2_page_poison_argument: Enable page allocator poisoning
• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning
• grub2_vsyscall_argument: Disable vsyscalls
• package_policycoreutils_installed: Install policycoreutils Package
• selinux_state: Ensure SELinux State is Enforcing

SRG-OS-000351-GPOS-00139: Oracle Linux 9 must provide a report generation capability that supports on-demand reporting requirements.

Description: None

• low

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000474-GPOS-00219: Oracle Linux 9 must generate audit records when successful/unsuccessful accesses to objects occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000420-GPOS-00186: Oracle Linux 9 must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_invalid_ratelimit: Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
• sysctl_net_ipv4_tcp_invalid_ratelimit_value = five_hundred
• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

SRG-OS-000373-GPOS-00156: Oracle Linux 9 must require users to re-authenticate for privilege escalation.

Description: None

• medium

Automated: yes

• disallow_bypass_password_sudo: Disallow Configuration to Bypass Password Requirements for Privilege Escalation
• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication
• var_sudo_timestamp_timeout = always_prompt

SRG-OS-000191-GPOS-00080: Oracle Linux 9 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, 30 days, and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

Description: None

• medium

Automated: yes

• package_mcafeetp_installed: Install McAfee Endpoint Security for Linux (ENSL)

SRG-OS-000004-GPOS-00004: Oracle Linux 9 must audit all account creations.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000365-GPOS-00152: Oracle Linux 9 must audit the enforcement actions used to restrict access associated with changes to the system.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000075-GPOS-00043: Oracle Linux 9 must enforce 24 hours/1 day as the minimum password lifetime.

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

SRG-OS-000266-GPOS-00101: Oracle Linux 9 must enforce password complexity by requiring that at least one special character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• var_password_pam_ocredit = 1

SRG-OS-000480-GPOS-00232: Oracle Linux 9 must enable an application firewall, if available.

Description: None

• medium

Automated: yes

• package_firewalld_installed: Install firewalld Package
• service_firewalld_enabled: Verify firewalld Enabled

SRG-OS-000074-GPOS-00042: Oracle Linux 9 must transmit only encrypted representations of passwords.

Description: None

• high

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package
• package_tftp_removed: Remove tftp Daemon
• package_vsftpd_removed: Uninstall vsftpd Package

SRG-OS-000024-GPOS-00007: Oracle Linux 9 must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000033-GPOS-00014: Oracle Linux 9 must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Description: None

• high

Automated: yes

• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy
• sshd_rekey_limit: Force frequent session key renegotiation
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour

SRG-OS-000475-GPOS-00220: Oracle Linux 9 must generate audit records for all direct access to the information system.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000379-GPOS-00164: Oracle Linux 9 must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000080-GPOS-00048: Oracle Linux 9 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts
• grub2_admin_username: Set the Boot Loader Admin Username to a Non-Default Value
• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_admin_username: Set the UEFI Boot Loader Admin Username to a Non-Default Value
• grub2_uefi_password: Set the UEFI Boot Loader Password
• require_singleuser_auth: Require Authentication for Single User Mode

SRG-OS-000433-GPOS-00193: Oracle Linux 9 must implement address space layout randomization to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

SRG-OS-000304-GPOS-00121: Oracle Linux 9 must notify system administrators and ISSOs of account enabling actions.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000071-GPOS-00039: Oracle Linux 9 must enforce password complexity by requiring that at least one numeric character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• var_password_pam_dcredit = 1

SRG-OS-000277-GPOS-00107: Oracle Linux 9 must notify system administrators and ISSOs when accounts are removed.

Description: None

• medium

Automated: no

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

SRG-OS-000478-GPOS-00223: Oracle Linux 9 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Description: None

• high

Automated: yes

• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1

SRG-OS-000067-GPOS-00035: Oracle Linux 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: no

• ssh_keys_passphrase_protected: Verify the SSH Private Key Files Have a Passcode

SRG-OS-000473-GPOS-00218: Oracle Linux 9 must generate audit records when concurrent logons to the same account occur from different sources.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

SRG-OS-000363-GPOS-00150: Oracle Linux 9 must notify designated personnel if baseline configurations are changed in an unauthorized manner.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• package_aide_installed: Install AIDE
• package_s-nail_installed: The s-nail Package Is Installed

SRG-OS-000105-GPOS-00052: Oracle Linux 9 must use multifactor authentication for network access to privileged accounts.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication
• sshd_enable_pubkey_auth: Enable Public Key Authentication
• sssd_enable_smartcards: Enable Smartcards in SSSD

SRG-OS-000275-GPOS-00105: Oracle Linux 9 must notify system administrators and ISSOs when accounts are modified.

Description: None

• medium

Automated: no

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

SRG-OS-000312-GPOS-00122: Oracle Linux 9 must allow operating system admins to pass information to any other operating system admin or user.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000343-GPOS-00134: Oracle Linux 9 must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description: None

• low

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space
• var_auditd_action_mail_acct = root
• var_auditd_admin_space_left_percentage = 5pc
• var_auditd_space_left_action = email
• var_auditd_space_left_percentage = 25pc

SRG-OS-000437-GPOS-00194: Oracle Linux 9 must remove all software components after updated versions have been installed.

Description: None

• medium

Automated: yes

• clean_components_post_updating: Ensure yum Removes Previous Package Versions

SRG-OS-000107-GPOS-00054: Oracle Linux 9 must use multifactor authentication for local access to privileged accounts.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• sshd_enable_pubkey_auth: Enable Public Key Authentication

SRG-OS-000446-GPOS-00200: Oracle Linux 9 must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE

SRG-OS-000364-GPOS-00151: Oracle Linux 9 must enforce access restrictions.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000123-GPOS-00064: Oracle Linux 9 must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

SRG-OS-000359-GPOS-00146: Oracle Linux 9 must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

Description: None

• low

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• package_audit_installed: Ensure the audit Subsystem is Installed
• var_time_service_set_maxpoll = 18_hours

SRG-OS-000274-GPOS-00104: Oracle Linux 9 must notify system administrators and ISSOs when accounts are created.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000258-GPOS-00099: Oracle Linux 9 must protect audit tools from unauthorized deletion.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root
• file_audit_tools_ownership: Audit Tools Must Be Owned by Root
• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

SRG-OS-000470-GPOS-00214: Oracle Linux 9 must generate audit records when successful/unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000059-GPOS-00029: Oracle Linux 9 must protect audit information from unauthorized deletion.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs
• audit_rules_immutable: Make the auditd Configuration Immutable
• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root
• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root
• directory_permissions_var_log_audit: System Audit Logs Must Have Mode 0750 or Less Permissive
• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

SRG-OS-000206-GPOS-00084: Oracle Linux 9 must reveal error messages only to authorized users.

Description: None

• medium

Automated: yes

• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root
• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root
• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_groupowner_var_log_messages: Verify Group Who Owns /var/log/messages File
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_owner_var_log_messages: Verify User Who Owns /var/log/messages File
• file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive
• file_permissions_var_log_messages: Verify Permissions on /var/log/messages File

SRG-OS-000352-GPOS-00140: Oracle Linux 9 must provide a report generation capability that supports after-the-fact investigations of security incidents.

Description: None

• low

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000354-GPOS-00142: Oracle Linux 9 must not alter original content or time ordering of audit records when it provides a report generation capability.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000032-GPOS-00013: Oracle Linux 9 must monitor remote access methods.

Description: None

• medium

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog
• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

SRG-OS-000112-GPOS-00057: Oracle Linux 9 must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000362-GPOS-00149: Oracle Linux 9 must prohibit user installation of system software without explicit privileged status.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000281-GPOS-00111: Oracle Linux 9 must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000118-GPOS-00060: Oracle Linux 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity

SRG-OS-000383-GPOS-00166: Oracle Linux 9 must prohibit the use of cached authenticators after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

SRG-OS-000132-GPOS-00067: Oracle Linux 9 must separate user functionality (including user interface services) from operating system management functionality.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000368-GPOS-00154: Oracle Linux 9 must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.

Description: None

• medium

Automated: yes

• mount_option_boot_nodev: Add nodev Option to /boot
• mount_option_boot_nosuid: Add nosuid Option to /boot
• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm
• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm
• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm
• mount_option_home_nodev: Add nodev Option to /home
• mount_option_home_nosuid: Add nosuid Option to /home
• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions
• mount_option_tmp_nodev: Add nodev Option to /tmp
• mount_option_tmp_noexec: Add noexec Option to /tmp
• mount_option_tmp_nosuid: Add nosuid Option to /tmp
• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit
• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit
• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit
• mount_option_var_log_nodev: Add nodev Option to /var/log
• mount_option_var_log_noexec: Add noexec Option to /var/log
• mount_option_var_log_nosuid: Add nosuid Option to /var/log
• mount_option_var_nodev: Add nodev Option to /var
• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp
• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp
• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp
• package_fapolicyd_installed: Install fapolicyd Package
• service_fapolicyd_enabled: Enable the File Access Policy Service

SRG-OS-000076-GPOS-00044: Oracle Linux 9 must enforce a 60-day maximum password lifetime restriction.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 60

SRG-OS-000030-GPOS-00011: Oracle Linux 9 must provide the capability for users to directly initiate a session lock for all connection types.

Description: None

• medium

Automated: yes

• configure_tmux_lock_keybinding: Configure the tmux lock session key binding
• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal
• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period
• dconf_gnome_screensaver_lock_locked: Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
• package_tmux_installed: Install the tmux Package

SRG-OS-000250-GPOS-00093: Oracle Linux 9 must implement cryptography to protect the integrity of remote access sessions.

Description: None

• high

Automated: yes

• configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
• configure_openssl_tls_crypto_policy: Configure OpenSSL library to use TLS Encryption
• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy

SRG-OS-000120-GPOS-00061: Oracle Linux 9 must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Description: None

• medium

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512
• libreswan_approved_tunnels: Verify Any Configured IPSec Tunnel Connections
• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm

SRG-OS-000121-GPOS-00062: Oracle Linux 9 must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs
• group_unique_id: Ensure All Groups on the System Have Unique Group ID

SRG-OS-000228-GPOS-00088: Any publicly accessible connection to Oracle Linux 9 must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner
• sshd_enable_warning_banner: Enable SSH Warning Banner

SRG-OS-000027-GPOS-00008: Oracle Linux 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

SRG-OS-000405-GPOS-00184: Oracle Linux 9 must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

SRG-OS-000471-GPOS-00215: Oracle Linux 9 must generate audit records for privileged activities or other system-level access.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_pt_chown: Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

SRG-OS-000278-GPOS-00108: Oracle Linux 9 must use cryptographic mechanisms to protect the integrity of audit tools.

Description: None

• high

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

SRG-OS-000303-GPOS-00120: Oracle Linux 9 must audit all account enabling actions.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000467-GPOS-00211: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to delete security levels occur.

Description: None

• medium

Automated: yes

• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

SRG-OS-000096-GPOS-00050: Oracle Linux 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

Description: None

• medium

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server
• chronyd_no_chronyc_network: Disable network management of chrony daemon
• configure_firewalld_ports: Configure the Firewalld Ports
• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception
• package_firewalld_installed: Install firewalld Package
• service_firewalld_enabled: Verify firewalld Enabled

SRG-OS-000329-GPOS-00128: Oracle Linux 9 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_fail_interval = 900
• var_accounts_passwords_pam_faillock_unlock_time = never

SRG-OS-000481-GPOS-00481: Oracle Linux 9 must protect the confidentiality and integrity of communications with wireless peripherals.

Description: None

• high

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SRG-OS-000108-GPOS-00055: Oracle Linux 9 must use multifactor authentication for local access to non-privileged accounts.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• sshd_enable_pubkey_auth: Enable Public Key Authentication

SRG-OS-000058-GPOS-00028: Oracle Linux 9 must protect audit information from unauthorized modification.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs
• audit_rules_immutable: Make the auditd Configuration Immutable
• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root
• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root
• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

SRG-OS-000001-GPOS-00001: Oracle Linux 9 must provide automated mechanisms for supporting account management functions.

Description: Oracle Linux 9 must provide automated mechanisms for supporting account management functions.

• medium

Automated: no

No rules selected

SRG-OS-000433-GPOS-00192: Oracle Linux 9 must implement non-executable data to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning
• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

SRG-OS-000480-GPOS-00227: Oracle Linux 9 must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users
• accounts_no_uid_except_zero: Verify Only Root Has UID 0
• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_interactive_users: Ensure the Default Umask is Set Correctly For Interactive Users
• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs
• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories
• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined
• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist
• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)
• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes
• auditd_local_events: Include Local Events in Audit Logs
• auditd_log_format: Resolve information before writing to audit logs
• auditd_write_logs: Write Audit Logs to the Disk
• configured_firewalld_default_deny: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
• coredump_disable_backtraces: Disable core dump backtraces
• coredump_disable_storage: Disable storing core dump
• dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles
• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening
• dconf_gnome_disable_autorun: Disable GNOME3 Automount running
• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons
• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List
• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User
• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action
• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation
• disable_users_coredumps: Disable Core Dumps for All Users
• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification
• enable_authselect: Enable authselect
• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
• file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_deny: Verify Group Who Owns cron.deny
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group
• file_owner_backup_etc_group: Verify User Who Owns Backup group File
• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
• file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_deny: Verify Owner on cron.deny
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_owner_sshd_config: Verify Owner on SSH Server config file
• file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
• file_permissions_backup_etc_group: Verify Permissions on Backup group File
• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File
• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File
• file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file
• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly
• file_permissions_crontab: Verify Permissions on crontab
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_shadow: Verify Permissions on shadow File
• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
• file_permissions_sshd_config: Verify Permissions on SSH Server config file
• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files
• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files
• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception
• grub2_disable_interactive_boot: Verify that Interactive Boot is Disabled
• grub2_page_poison_argument: Enable page allocator poisoning
• grub2_vsyscall_argument: Disable vsyscalls
• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• mount_option_boot_nosuid: Add nosuid Option to /boot
• mount_option_home_noexec: Add noexec Option to /home
• mount_option_home_nosuid: Add nosuid Option to /home
• mount_option_krb_sec_remote_filesystems: Mount Remote Filesystems with Kerberos Security
• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions
• mount_option_nodev_remote_filesystems: Mount Remote Filesystems with nodev
• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions
• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec
• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions
• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid
• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions
• network_configure_name_resolution: Configure Multiple DNS Servers in /etc/resolv.conf
• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer
• networkmanager_dns_mode: NetworkManager DNS Mode Must Be Must Configured
• no_empty_passwords: Prevent Login to Accounts With Empty Password
• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords
• no_files_unowned_by_user: Ensure All Files Are Owned by a User
• no_host_based_files: Remove Host-Based Authentication Files
• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login
• no_user_host_based_files: Remove User Host-Based Authentication Files
• package_audit_installed: Ensure the audit Subsystem is Installed
• package_firewalld_installed: Install firewalld Package
• package_gnutls-utils_installed: Ensure gnutls-utils is installed
• package_gssproxy_removed: Uninstall gssproxy Package
• package_iprutils_removed: Uninstall iprutils Package
• package_libreswan_installed: Install libreswan Package
• package_MFEhiplsm_installed: Install the Host Intrusion Prevention System (HIPS) Module
• package_nss-tools_installed: Ensure nss-tools is installed
• package_openssh-clients_installed: Install OpenSSH client software
• package_policycoreutils-python-utils_installed: Install policycoreutils-python-utils package
• package_policycoreutils_installed: Install policycoreutils Package
• package_quagga_removed: Uninstall quagga Package
• package_rng-tools_installed: Install rng-tools Package
• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed
• package_rsyslog_installed: Ensure rsyslog is Installed
• package_sendmail_removed: Uninstall Sendmail Package
• package_tftp-server_removed: Uninstall tftp-server Package
• package_tuned_removed: Uninstall tuned Package
• package_vsftpd_removed: Uninstall vsftpd Package
• package_xorg-x11-server-common_removed: Remove the X Windows Package Group
• partition_for_home: Ensure /home Located On Separate Partition
• partition_for_tmp: Ensure /tmp Located On Separate Partition
• partition_for_var: Ensure /var Located On Separate Partition
• partition_for_var_log: Ensure /var/log Located On Separate Partition
• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition
• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition
• postfix_prevent_unrestricted_relay: Prevent Unrestricted Mail Relaying
• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog
• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host
• security_patches_up_to_date: Ensure Software Patches Installed
• service_auditd_enabled: Enable auditd Service
• service_autofs_disabled: Disable the Automounter
• service_debug-shell_disabled: Disable debug-shell SystemD Service
• service_firewalld_enabled: Verify firewalld Enabled
• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)
• service_rsyslog_enabled: Enable rsyslog Service
• service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps
• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets
• sshd_disable_compression: Disable Compression Or Set Compression to delayed
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_disable_rhosts: Disable SSH Support for .rhosts Files
• sshd_disable_root_login: Disable SSH Root Login
• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts
• sshd_disable_x11_forwarding: Disable X11 Forwarding
• sshd_enable_strictmodes: Enable Use of Strict Mode Checking
• sshd_print_last_log: Enable SSH Print Last Log
• sshd_rekey_limit: Force frequent session key renegotiation
• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display
• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel
• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo
• sysctl_kernel_core_pattern: Disable storing core dumps
• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading
• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space
• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes
• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes
• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler
• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding
• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
• sysctl_user_max_user_namespaces: Disable the use of user namespaces
• tftpd_uses_secure_mode: Ensure tftp Daemon Uses Secure Mode
• use_kerberos_security_all_exports: Use Kerberos Security on All Exports
• var_networkmanager_dns_mode = none
• xwindows_runlevel_target: Disable X Windows Startup By Setting Default Target

SRG-OS-000395-GPOS-00175: Oracle Linux 9 must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions. If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000377-GPOS-00162: Oracle Linux 9 must electronically verify Personal Identity Verification (PIV) credentials.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication
• sssd_certificate_verification: Certificate status checking in SSSD
• var_sssd_certificate_verification_digest_function = sha512

SRG-OS-000040-GPOS-00018: Oracle Linux 9 must produce audit records containing information to establish the source of the events.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000376-GPOS-00161: Oracle Linux 9 must accept Personal Identity Verification (PIV) credentials.

Description: None

• medium

Automated: yes

• package_opensc_installed: Install the opensc Package For Multifactor Authentication

SRG-OS-000463-GPOS-00207: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to modify security objects occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

SRG-OS-000114-GPOS-00059: Oracle Linux 9 must uniquely identify peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening
• dconf_gnome_disable_autorun: Disable GNOME3 Automount running
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• service_autofs_disabled: Disable the Automounter

SRG-OS-000241-GPOS-00091: Oracle Linux 9 must audit all account removal actions.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000394-GPOS-00174: Oracle Linux 9 must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• package_crypto-policies_installed: Install crypto-policies package
• var_system_crypto_policy = fips

SRG-OS-000023-GPOS-00006: Oracle Linux 9 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner
• dconf_gnome_login_banner_text: Set the GNOME3 Login Warning Banner Text
• sshd_enable_warning_banner: Enable SSH Warning Banner

SRG-OS-000126-GPOS-00066: Oracle Linux 9 must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000477-GPOS-00222: Oracle Linux 9 must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.

Description: None

• medium

Automated: yes

• audit_privileged_commands_init: Ensure auditd Collects Information on the Use of Privileged Commands - init
• audit_privileged_commands_poweroff: Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
• audit_privileged_commands_reboot: Ensure auditd Collects Information on the Use of Privileged Commands - reboot
• audit_privileged_commands_shutdown: Ensure auditd Collects Information on the Use of Privileged Commands - shutdown
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

SRG-OS-000021-GPOS-00005: Oracle Linux 9 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_password_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
• account_password_pam_faillock_system_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory
• accounts_passwords_pam_faillock_audit: Account Lockouts Must Be Logged
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_fail_interval = 900
• var_accounts_passwords_pam_faillock_unlock_time = never

SRG-OS-000069-GPOS-00037: Oracle Linux 9 must enforce password complexity by requiring that at least one upper-case character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth
• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_retry = 3
• var_password_pam_ucredit = 1

SRG-OS-000057-GPOS-00027: Oracle Linux 9 must protect audit information from unauthorized read access.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs
• audit_rules_immutable: Make the auditd Configuration Immutable
• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root
• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root
• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

SRG-OS-000054-GPOS-00025: Oracle Linux 9 must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000078-GPOS-00046: Oracle Linux 9 must enforce a minimum 15-character password length.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• var_password_pam_minlen = 15

SRG-OS-000062-GPOS-00031: Oracle Linux 9 must provide audit record generation capability for DoD-defined auditable events for all operating system components.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• auditd_local_events: Include Local Events in Audit Logs
• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000047-GPOS-00023: Oracle Linux 9 must shut down by default upon audit failure (unless availability is an overriding concern).

Description: None

• medium

Automated: yes

• audit_rules_system_shutdown: Shutdown System When Auditing Failures Occur
• auditd_data_disk_error_action_stig: Configure auditd Disk Error Action on Disk Error
• auditd_data_disk_full_action_stig: Configure auditd Disk Full Action when Disk Space Is Full
• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_audit_failure_mode = panic
• var_auditd_disk_error_action = halt
• var_auditd_disk_full_action = halt
• var_auditd_max_log_file_action = rotate

SRG-OS-000051-GPOS-00024: Oracle Linux 9 must provide the capability to centrally review and analyze audit records from multiple components within the system.

Description: None

• medium

Automated: yes

• auditd_freq: Set number of records to cause an explicit flush to audit logs
• package_audit_installed: Ensure the audit Subsystem is Installed
• package_rsyslog_installed: Ensure rsyslog is Installed
• service_auditd_enabled: Enable auditd Service
• var_auditd_freq = 100

SRG-OS-000068-GPOS-00036: Oracle Linux 9 must map the authenticated identity to the user or group account for PKI-based authentication.

Description: None

• medium

Automated: yes

• sssd_enable_certmap: Enable Certmap in SSSD

SRG-OS-000468-GPOS-00212: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to delete security objects occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

SRG-OS-000063-GPOS-00032: Oracle Linux 9 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_auditd: Verify Permissions on /etc/audit/auditd.conf
• file_permissions_etc_audit_rulesd: Verify Permissions on /etc/audit/rules.d/*.rules

SRG-OS-000055-GPOS-00026: Oracle Linux 9 must use internal system clocks to generate time stamps for audit records.

Description: Oracle Linux 9 must use internal system clocks to generate time stamps for audit records.

• medium

Automated: no

No rules selected

SRG-OS-000031-GPOS-00012: Oracle Linux 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Description: None

• medium

Automated: yes

• configure_bashrc_exec_tmux: Support session locking with tmux
• configure_tmux_lock_after_time: Configure tmux to lock session after inactivity

SRG-OS-000378-GPOS-00163: Oracle Linux 9 must authenticate peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening
• dconf_gnome_disable_autorun: Disable GNOME3 Automount running
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• package_usbguard_installed: Install usbguard Package
• service_autofs_disabled: Disable the Automounter
• service_usbguard_enabled: Enable the USBGuard Service
• usbguard_generate_policy: Generate USBGuard Policy

SRG-OS-000095-GPOS-00049: Oracle Linux 9 must be configured to disable non-essential capabilities.

Description: None

• medium

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server
• chronyd_no_chronyc_network: Disable network management of chrony daemon
• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)
• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module
• kernel_module_can_disabled: Disable CAN Support
• kernel_module_sctp_disabled: Disable SCTP Support
• kernel_module_tipc_disabled: Disable TIPC Support
• package_gssproxy_removed: Uninstall gssproxy Package
• package_iprutils_removed: Uninstall iprutils Package
• package_nfs-utils_removed: Uninstall nfs-utils Package
• package_sendmail_removed: Uninstall Sendmail Package
• package_telnet-server_removed: Uninstall telnet-server Package
• package_vsftpd_removed: Uninstall vsftpd Package

SRG-OS-000380-GPOS-00165: Oracle Linux 9 must allow the use of a temporary password for system logons with an immediate change to a permanent password.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000072-GPOS-00040: Oracle Linux 9 must require the change of at least 50% of the total number of characters when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_maxclassrepeat: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• var_password_pam_difok = 8
• var_password_pam_maxclassrepeat = 4
• var_password_pam_maxrepeat = 3
• var_password_pam_minclass = 4

SRG-OS-000350-GPOS-00138: Oracle Linux 9 must provide a report generation capability that supports on-demand audit review and analysis.

Description: None

• low

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000337-GPOS-00129: Oracle Linux 9 must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000064-GPOS-00033: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to access privileges occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat

SRG-OS-000256-GPOS-00097: Oracle Linux 9 must protect audit tools from unauthorized access.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root
• file_audit_tools_ownership: Audit Tools Must Be Owned by Root
• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

SRG-OS-000276-GPOS-00106: Oracle Linux 9 must notify system administrators and ISSOs when accounts are disabled.

Description: None

• medium

Automated: no

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

SRG-OS-000327-GPOS-00127: Oracle Linux 9 must audit the execution of privileged functions.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

SRG-OS-000358-GPOS-00145: Oracle Linux 9 must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000142-GPOS-00071: Oracle Linux 9 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

SRG-OS-000073-GPOS-00041: Oracle Linux 9 must store only encrypted representations of passwords.

Description: None

• high

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512
• accounts_password_pam_unix_rounds_password_auth: Set number of Password Hashing Rounds - password-auth
• accounts_password_pam_unix_rounds_system_auth: Set number of Password Hashing Rounds - system-auth
• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

SRG-OS-000476-GPOS-00221: Oracle Linux 9 must generate audit records for all account creations, modifications, disabling, and termination events.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000447-GPOS-00201: Oracle Linux 9 must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

SRG-OS-000458-GPOS-00203: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to access security objects occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

SRG-OS-000479-GPOS-00224: Oracle Linux 9 must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
• package_rsyslog_installed: Ensure rsyslog is Installed
• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records
• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records
• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

SRG-OS-000341-GPOS-00132: Oracle Linux 9 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Description: None

• low

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs
• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon
• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

SRG-OS-000257-GPOS-00098: Oracle Linux 9 must protect audit tools from unauthorized modification.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root
• file_audit_tools_ownership: Audit Tools Must Be Owned by Root
• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

SRG-OS-000239-GPOS-00089: Oracle Linux 9 must audit all account modifications.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000029-GPOS-00010: Oracle Linux 9 must initiate a session lock after a 15-minute period of inactivity for all connection types.

Description: None

• medium

Automated: yes

• configure_tmux_lock_after_time: Configure tmux to lock session after inactivity
• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout
• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period
• dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings
• dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings
• inactivity_timeout_value = 15_minutes
• var_screensaver_lock_delay = 5_seconds

SRG-OS-000403-GPOS-00182: Oracle Linux 9 must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to Oracle Linux 9.

Description: Oracle Linux 9 must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.

• medium

Automated: no

No rules selected

SRG-OS-000280-GPOS-00110: Oracle Linux 9 must provide a logoff capability for user-initiated communications sessions when requiring user access authentication.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000344-GPOS-00135: Oracle Linux 9 must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

Description: Oracle Linux 9 must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

• medium

Automated: no

No rules selected

SRG-OS-000037-GPOS-00015: Oracle Linux 9 must produce audit records containing information to establish what type of events occurred.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_pkexec: Ensure auditd Collects Information on the Use of Privileged Commands - pkexec
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000348-GPOS-00136: Oracle Linux 9 must provide an audit reduction capability that supports on-demand audit review and analysis.

Description: None

• low

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000028-GPOS-00009: Oracle Linux 9 must retain a users session lock until that user reestablishes access using established identification and authentication procedures.

Description: None

• high

Automated: yes

• configure_bashrc_exec_tmux: Support session locking with tmux
• configure_tmux_lock_command: Configure the tmux Lock Command
• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal
• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period
• dconf_gnome_screensaver_lock_locked: Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
• no_tmux_in_shells: Prevent user from disabling the screen lock
• package_tmux_installed: Install the tmux Package

SRG-OS-000366-GPOS-00153: Oracle Linux 9 must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Description: None

• high

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main yum Configuration
• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All yum Package Repositories
• ensure_oracle_gpgkey_installed: Ensure Oracle Linux GPG Key Installed
• package_subscription-manager_installed: Install subscription-manager Package
• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading

SRG-OS-000138-GPOS-00069: Oracle Linux 9 must prevent unauthorized and unintended information transfer via shared system resources.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User
• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

SRG-OS-000255-GPOS-00096: Oracle Linux 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.

Description: None

• medium

Automated: yes

• auditd_log_format: Resolve information before writing to audit logs
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000300-GPOS-00118: Oracle Linux 9 must protect wireless access to the system using authentication of users and/or devices.

Description: None

• medium

Automated: yes

• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module
• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SRG-OS-000375-GPOS-00160: Oracle Linux 9 must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication
• package_opensc_installed: Install the opensc Package For Multifactor Authentication
• package_pcsc-lite_installed: Install the pcsc-lite package
• service_pcscd_enabled: Enable the pcscd Service
• sssd_certificate_verification: Certificate status checking in SSSD
• sssd_enable_smartcards: Enable Smartcards in SSSD
• var_sssd_certificate_verification_digest_function = sha512

SRG-OS-000297-GPOS-00115: Oracle Linux 9 must control remote access methods.

Description: None

• medium

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports
• package_firewalld_installed: Install firewalld Package
• service_firewalld_enabled: Verify firewalld Enabled

SRG-OS-000041-GPOS-00019: Oracle Linux 9 must produce audit records containing information to establish the outcome of the events.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000279-GPOS-00109: Oracle Linux 9 must automatically terminate a user session after inactivity time-outs have expired or at shutdown.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• sshd_set_idle_timeout: Set SSH Client Alive Interval

SRG-OS-000466-GPOS-00210: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to delete privileges occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000104-GPOS-00051: Oracle Linux 9 must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs
• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group
• group_unique_id: Ensure All Groups on the System Have Unique Group ID

SRG-OS-000396-GPOS-00176: Oracle Linux 9 must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• enable_fips_mode: Enable FIPS Mode
• package_crypto-policies_installed: Install crypto-policies package
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1

SRG-OS-000039-GPOS-00017: Oracle Linux 9 must produce audit records containing information to establish where the events occurred.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000461-GPOS-00205: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

SRG-OS-000360-GPOS-00147: Oracle Linux 9 must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000384-GPOS-00167: The operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Description: None

• medium

Automated: no

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

SRG-OS-000042-GPOS-00021: Oracle Linux 9 must produce audit records containing the individual identities of group account users.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000393-GPOS-00173: Oracle Linux 9 must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• package_crypto-policies_installed: Install crypto-policies package
• var_system_crypto_policy = fips

SRG-OS-000353-GPOS-00141: Oracle Linux 9 must not alter original content or time ordering of audit records when it provides an audit reduction capability.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000269-GPOS-00103: In the event of a system failure, Oracle Linux 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

Description: None

• medium

Automated: yes

• service_systemd-journald_enabled: Enable systemd-journald Service

SRG-OS-000240-GPOS-00090: Oracle Linux 9 must audit all account disabling actions.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SRG-OS-000480-GPOS-00226: Oracle Linux 9 must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs
• var_accounts_fail_delay = 4

SRG-OS-000349-GPOS-00137: Oracle Linux 9 must provide an audit reduction capability that supports after-the-fact investigations of security incidents.

Description: None

• low

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000462-GPOS-00206: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to modify privileges occur.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs
• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

SRG-OS-000370-GPOS-00155: Oracle Linux 9 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Description: None

• medium

Automated: yes

• package_fapolicyd_installed: Install fapolicyd Package
• service_fapolicyd_enabled: Enable the File Access Policy Service

SRG-OS-000472-GPOS-00217: Oracle Linux 9 must generate audit records showing starting and ending time for user access to the system.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000480-GPOS-00228: Oracle Linux 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_etc_csh_cshrc: Ensure the Default C Shell Umask is Set Correctly
• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs
• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile
• var_accounts_user_umask = 077

SRG-OS-000299-GPOS-00117: Oracle Linux 9 must protect wireless access to and from the system using encryption.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SRG-OS-000373-GPOS-00158: Oracle Linux 9 must require users to re-authenticate when changing authenticators.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

SRG-OS-000404-GPOS-00183: Oracle Linux 9 must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

SRG-OS-000392-GPOS-00172: Oracle Linux 9 must audit all activities performed during nonlocal maintenance and diagnostic sessions.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_pt_chown: Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_rename: Record Unsuccessful Delete Attempts to Files - rename
• audit_rules_unsuccessful_file_modification_renameat: Record Unsuccessful Delete Attempts to Files - renameat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_unsuccessful_file_modification_unlink: Record Unsuccessful Delete Attempts to Files - unlink
• audit_rules_unsuccessful_file_modification_unlinkat: Record Unsuccessful Delete Attempts to Files - unlinkat
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000425-GPOS-00189: Oracle Linux 9 must maintain the confidentiality and integrity of information during preparation for transmission.

Description: None

• medium

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package
• service_sshd_enabled: Enable the OpenSSH Service

SRG-OS-000471-GPOS-00216: The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

SRG-OS-000254-GPOS-00095: Oracle Linux 9 must initiate session audits at system start-up.

Description: None

• medium

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000480-GPOS-00230: Oracle Linux 9 must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000046-GPOS-00022: Oracle Linux 9 must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

Description: None

• medium

Automated: yes

• audit_rules_system_shutdown: Shutdown System When Auditing Failures Occur
• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account
• postfix_client_configure_mail_alias_postmaster: Configure System to Forward All Mail From Postmaster to The Root Account
• var_audit_failure_mode = panic
• var_auditd_action_mail_acct = root
• var_postfix_root_mail_alias = mil_sysadmin

SRG-OS-000374-GPOS-00159: Oracle Linux 9 must require devices to re-authenticate when changing authenticators.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000163-GPOS-00072: Oracle Linux 9 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• sshd_set_idle_timeout: Set SSH Client Alive Interval
• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_accounts_tmout = 15_min

SRG-OS-000122-GPOS-00063: Oracle Linux 9 must provide an audit reduction capability that supports on-demand reporting requirements.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

SRG-OS-000342-GPOS-00133: Oracle Linux 9 must offload audit records onto a different system or media from the system being audited.

Description: None

• low

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
• package_audispd-plugins_installed: Install audispd-plugins Package
• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records
• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records
• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

SRG-OS-000109-GPOS-00056: Oracle Linux 9 must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• sshd_disable_root_login: Disable SSH Root Login

SRG-OS-000002-GPOS-00002: Oracle Linux 9 must automatically remove or disable temporary user accounts after 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

SRG-OS-000106-GPOS-00053: Oracle Linux 9 must use multifactor authentication for network access to non-privileged accounts.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_enable_pubkey_auth: Enable Public Key Authentication
• var_smartcard_drivers = cac

SRG-OS-000445-GPOS-00199: Oracle Linux 9 must verify correct operation of all security functions.

Description: None

• medium

Automated: yes

• package_aide_installed: Install AIDE
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing

SRG-OS-000184-GPOS-00078: Oracle Linux 9 must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000205-GPOS-00083: Oracle Linux 9 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000312-GPOS-00124: Oracle Linux 9 must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000298-GPOS-00116: Oracle Linux 9 must provide the capability to immediately disconnect or disable remote access to the operating system.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000439-GPOS-00195: The operating system must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000480-GPOS-00225: Oracle Linux 9 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User

SRG-OS-000066-GPOS-00034: Oracle Linux 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: no

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

SRG-OS-000465-GPOS-00209: Oracle Linux 9 must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

SRG-OS-000432-GPOS-00191: Oracle Linux 9 must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

Description: None

• medium

Automated: no

No rules selected

SRG-OS-000077-GPOS-00045: Oracle Linux 9 must prohibit password reuse for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember_password_auth: Limit Password Reuse: password-auth
• accounts_password_pam_pwhistory_remember_system_auth: Limit Password Reuse: system-auth
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite_or_required