Definition of Oracle Linux 9 Security Technical Implementation Guide for ol9

needed_rules: None

Description: None

• medium

Automated: no

• enable_authselect: Enable authselect
• var_authselect_profile = sssd

OL09-00-000001: The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.

Description: None

• medium

Automated: yes

• encrypt_partitions: Encrypt Partitions

OL09-00-000010: OL 9 must be a vendor-supported release.

Description: None

• high

Automated: yes

• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported

OL09-00-000015: OL 9 vendor packaged system security patches and updates must be installed and up to date.

Description: None

• medium

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

OL09-00-000090: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = dod_default

OL09-00-000020: The graphical display manager must not be the default target on OL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_runlevel_target: Disable Graphical Environment Startup By Setting Default Target

OL09-00-000360: OL 9 must enable the hardware random number generator entropy gatherer service.

Description: None

• low

Automated: no

No rules selected

OL09-00-002400: OL 9 systemd-journald service must be enabled.

Description: None

• medium

Automated: yes

• service_systemd-journald_enabled: Enable systemd-journald Service

OL09-00-002412: The systemd Ctrl-Alt-Delete burst key sequence in OL 9 must be disabled.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action

OL09-00-002413: The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 9.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

OL09-00-002403: OL 9 debug-shell systemd service must be disabled.

Description: None

• medium

Automated: yes

• service_debug-shell_disabled: Disable debug-shell SystemD Service

OL09-00-001115: OL 9 must require a boot loader superuser password.

Description: None

• medium

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

OL09-00-002392: OL 9 must disable the ability of systemd to spawn an interactive boot process.

Description: None

• medium

Automated: yes

• grub2_disable_interactive_boot: Verify that Interactive Boot is Disabled

OL09-00-000050: OL 9 must require a unique superusers name upon booting into single-user and maintenance modes.

Description: None

• high

Automated: yes

• grub2_admin_username: Set the Boot Loader Admin Username to a Non-Default Value

OL09-00-002530: OL 9 /boot/grub2/grub.cfg file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership

OL09-00-002531: OL 9 /boot/grub2/grub.cfg file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership

OL09-00-002393: OL 9 must disable virtual system calls.

Description: None

• medium

Automated: yes

• grub2_vsyscall_argument: Disable vsyscalls

OL09-00-002394: OL 9 must clear the page allocator to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_page_poison_argument: Enable page allocator poisoning

OL09-00-002390: OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning

OL09-00-002391: OL 9 must enable mitigations against processor-based vulnerabilities.

Description: None

• low

Automated: yes

• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)

OL09-00-000750: OL 9 must enable auditing of processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

OL09-00-002406: OL 9 must restrict access to the kernel message buffer.

Description: None

• medium

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

OL09-00-002407: OL 9 must prevent kernel profiling by nonprivileged users.

Description: None

• medium

Automated: yes

• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

OL09-00-002428: OL 9 must prevent the loading of a new kernel for later execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading

OL09-00-002408: OL 9 must restrict exposed kernel pointer addresses access.

Description: None

• medium

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

OL09-00-002401: OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks

OL09-00-002402: OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

OL09-00-002380: OL 9 must disable the kernel.core_pattern.

Description: None

• medium

Automated: yes

• sysctl_kernel_core_pattern: Disable storing core dumps

OL09-00-000040: OL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.

Description: None

• medium

Automated: yes

• kernel_module_atm_disabled: Disable ATM Support

OL09-00-000041: OL 9 must be configured to disable the Controller Area Network kernel module.

Description: None

• medium

Automated: yes

• kernel_module_can_disabled: Disable CAN Support

OL09-00-000042: OL 9 must be configured to disable the FireWire kernel module.

Description: None

• medium

Automated: yes

• kernel_module_firewire-core_disabled: Disable IEEE 1394 (FireWire) Support

OL09-00-000043: OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support

OL09-00-000044: OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_tipc_disabled: Disable TIPC Support

OL09-00-002423: OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

OL09-00-002409: OL 9 must disable access to network bpf system call from nonprivileged processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes

OL09-00-002410: OL 9 must restrict usage of ptrace to descendant processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

OL09-00-002381: OL 9 must disable core dump backtraces.

Description: None

• medium

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces

OL09-00-002382: OL 9 must disable storing core dumps.

Description: None

• medium

Automated: yes

• coredump_disable_storage: Disable storing core dump

OL09-00-002383: OL 9 must disable core dumps for all users.

Description: None

• medium

Automated: yes

• disable_users_coredumps: Disable Core Dumps for All Users

OL09-00-002384: OL 9 must disable acquiring, saving, and processing core dumps.

Description: None

• medium

Automated: yes

• service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps

OL09-00-002370: OL 9 must disable the use of user namespaces.

Description: None

• medium

Automated: yes

• sysctl_user_max_user_namespaces: Disable the use of user namespaces

OL09-00-002385: The kdump service on OL 9 must be disabled.

Description: None

• medium

Automated: yes

• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)

OL09-00-000499: OL 9 must ensure cryptographic verification of vendor software packages.

Description: None

• medium

Automated: yes

• ensure_oracle_gpgkey_installed: Ensure Oracle Linux GPG Key Installed

OL09-00-000497: OL 9 must check the GPG signature of software packages originating from external software repositories before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main yum Configuration

OL09-00-000496: OL 9 must check the GPG signature of locally installed software packages before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages

OL09-00-000498: OL 9 must have GPG signature verification enabled for all software repositories.

Description: None

• high

Automated: yes

• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All yum Package Repositories

OL09-00-000495: OL 9 must remove all software components after updated versions have been installed.

Description: None

• low

Automated: yes

• clean_components_post_updating: Ensure yum Removes Previous Package Versions

OL09-00-000130: OL 9 must not have a File Transfer Protocol (FTP) server package installed.

Description: None

• high

Automated: yes

• package_vsftpd_removed: Uninstall vsftpd Package

OL09-00-000150: OL 9 must not have the sendmail package installed.

Description: None

• medium

Automated: yes

• package_sendmail_removed: Uninstall Sendmail Package

OL09-00-000100: OL 9 must not have the nfs-utils package installed.

Description: None

• medium

Automated: yes

• package_nfs-utils_removed: Uninstall nfs-utils Package

OL09-00-000105: OL 9 must not have the rsh-server package installed.

Description: None

• medium

Automated: yes

• package_rsh-server_removed: Uninstall rsh-server Package

OL09-00-000110: OL 9 must not have the telnet-server package installed.

Description: None

• medium

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

OL09-00-000115: OL 9 must not have the gssproxy package installed.

Description: None

• medium

Automated: yes

• package_gssproxy_removed: Uninstall gssproxy Package

OL09-00-000120: OL 9 must not have the iprutils package installed.

Description: None

• medium

Automated: yes

• package_iprutils_removed: Uninstall iprutils Package

OL09-00-000125: OL 9 must not have the tuned package installed.

Description: None

• medium

Automated: yes

• package_tuned_removed: Uninstall tuned Package

OL09-00-000135: OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.

Description: None

• high

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package

OL09-00-000140: OL 9 must not have the quagga package installed.

Description: None

• medium

Automated: yes

• package_quagga_removed: Uninstall quagga Package

OL09-00-000145: A graphical display manager must not be installed on OL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_remove_packages: Disable graphical user interface

OL09-00-000270: OL 9 must have the openssl-pkcs11 package installed.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

OL09-00-000285: OL 9 must have the SSSD package installed.

Description: None

• medium

Automated: yes

• package_sssd_installed: Install the SSSD Package

OL09-00-000286: OL 9 must use the SSSD package for multifactor authentication services.

Description: None

• medium

Automated: yes

• service_sssd_enabled: Enable the SSSD Service

OL09-00-000430: OL 9 must have the gnutls-utils package installed.

Description: None

• medium

Automated: yes

• package_gnutls-utils_installed: Ensure gnutls-utils is installed

OL09-00-000380: OL 9 must have the nss-tools package installed.

Description: None

• medium

Automated: yes

• package_nss-tools_installed: Ensure nss-tools is installed

OL09-00-000370: OL 9 must have the rng-tools package installed.

Description: None

• medium

Automated: yes

• package_rng-tools_installed: Install rng-tools Package

OL09-00-000290: OL 9 must have the s-nail package installed.

Description: None

• medium

Automated: yes

• package_s-nail_installed: The s-nail Package Is Installed

OL09-00-000003: A separate OL 9 file system must be used for user home directories (such as /home or an equivalent).

Description: None

• medium

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

OL09-00-000004: OL 9 must use a separate file system for /tmp.

Description: None

• medium

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

OL09-00-000005: OL 9 must use a separate file system for /var.

Description: None

• low

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

OL09-00-000006: OL 9 must use a separate file system for /var/log.

Description: None

• low

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

OL09-00-000002: OL 9 must use a separate file system for the system audit data path.

Description: None

• low

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

OL09-00-000007: OL 9 must use a separate file system for /var/tmp.

Description: None

• medium

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

OL09-00-002000: OL 9 file system automount function must be disabled unless required.

Description: None

• medium

Automated: yes

• service_autofs_disabled: Disable the Automounter

OL09-00-002070: OL 9 must prevent device files from being interpreted on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nodev: Add nodev Option to /home

OL09-00-002071: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

OL09-00-002072: OL 9 must prevent code from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_noexec: Add noexec Option to /home

OL09-00-002010: OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.

Description: None

• medium

Automated: yes

• mount_option_krb_sec_remote_filesystems: Mount Remote Filesystems with Kerberos Security

OL09-00-002011: OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nodev_remote_filesystems: Mount Remote Filesystems with nodev

OL09-00-002012: OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec

OL09-00-002013: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid

OL09-00-002020: OL 9 must prevent code from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

OL09-00-002021: OL 9 must prevent special devices on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions

OL09-00-002022: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

OL09-00-002030: OL 9 must mount /boot with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_boot_nodev: Add nodev Option to /boot

OL09-00-002031: OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.

Description: None

• medium

Automated: yes

• mount_option_boot_nosuid: Add nosuid Option to /boot

OL09-00-002032: OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

Description: None

• medium

Automated: yes

• mount_option_boot_efi_nosuid: Add nosuid Option to /boot/efi

OL09-00-002040: OL 9 must mount /dev/shm with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

OL09-00-002041: OL 9 must mount /dev/shm with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

OL09-00-002042: OL 9 must mount /dev/shm with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

OL09-00-002050: OL 9 must mount /tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp

OL09-00-002051: OL 9 must mount /tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_tmp_noexec: Add noexec Option to /tmp

OL09-00-002052: OL 9 must mount /tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nosuid: Add nosuid Option to /tmp

OL09-00-002060: OL 9 must mount /var with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_nodev: Add nodev Option to /var

OL09-00-002061: OL 9 must mount /var/log with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log

OL09-00-002062: OL 9 must mount /var/log with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_noexec: Add noexec Option to /var/log

OL09-00-002063: OL 9 must mount /var/log with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nosuid: Add nosuid Option to /var/log

OL09-00-002064: OL 9 must mount /var/log/audit with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

OL09-00-002065: OL 9 must mount /var/log/audit with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

OL09-00-002066: OL 9 must mount /var/log/audit with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

OL09-00-002067: OL 9 must mount /var/tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

OL09-00-002068: OL 9 must mount /var/tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

OL09-00-002069: OL 9 must mount /var/tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

OL09-00-002418: OL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

OL09-00-000045: OL 9 must disable mounting of cramfs.

Description: None

• low

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

OL09-00-002080: OL 9 must prevent special devices on non-root local partitions.

Description: None

• medium

Automated: yes

• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions

OL09-00-002506: OL 9 system commands must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions

OL09-00-002522: OL 9 library directories must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions

OL09-00-002525: OL 9 library files must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions

OL09-00-002562: OL 9 /var/log directory must have mode 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log: Verify Permissions on /var/log Directory

OL09-00-002565: OL 9 /var/log/messages file must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log_messages: Verify Permissions on /var/log/messages File

OL09-00-002572: OL 9 audit tools must have a mode of 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

OL09-00-002580: OL 9 cron configuration directories must have a mode of 0700 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly

OL09-00-002513: OL 9 local initialization files must have mode 0740 or less permissive.

Description: None

• medium

Automated: yes

• file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

OL09-00-002515: OL 9 local interactive user home directories must have mode 0750 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

OL09-00-002536: OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_group: Verify Permissions on group File

OL09-00-002537: OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_group: Verify Permissions on Backup group File

OL09-00-002542: OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_gshadow: Verify Permissions on gshadow File

OL09-00-002543: OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File

OL09-00-002548: OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_passwd: Verify Permissions on passwd File

OL09-00-002549: OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File

OL09-00-002554: OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File

OL09-00-002534: OL 9 /etc/group file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_group: Verify User Who Owns group File

OL09-00-002532: OL 9 /etc/group file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_group: Verify Group Who Owns group File

OL09-00-002535: OL 9 /etc/group- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_group: Verify User Who Owns Backup group File

OL09-00-002533: OL 9 /etc/group- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File

OL09-00-002540: OL 9 /etc/gshadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_gshadow: Verify User Who Owns gshadow File

OL09-00-002538: OL 9 /etc/gshadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File

OL09-00-002541: OL 9 /etc/gshadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File

OL09-00-002539: OL 9 /etc/gshadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File

OL09-00-002546: OL 9 /etc/passwd file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_passwd: Verify User Who Owns passwd File

OL09-00-002544: OL 9 /etc/passwd file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_passwd: Verify Group Who Owns passwd File

OL09-00-002547: OL 9 /etc/passwd- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File

OL09-00-002545: OL 9 /etc/passwd- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File

OL09-00-002552: OL 9 /etc/shadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_shadow: Verify User Who Owns shadow File

OL09-00-002550: OL 9 /etc/shadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_shadow: Verify Group Who Owns shadow File

OL09-00-002553: OL 9 /etc/shadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File

OL09-00-002551: OL 9 /etc/shadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File

OL09-00-002561: OL 9 /var/log directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log: Verify User Who Owns /var/log Directory

OL09-00-002560: OL 9 /var/log directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log: Verify Group Who Owns /var/log Directory

OL09-00-002564: OL 9 /var/log/messages file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log_messages: Verify User Who Owns /var/log/messages File

OL09-00-002563: OL 9 /var/log/messages file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log_messages: Verify Group Who Owns /var/log/messages File

OL09-00-002505: OL 9 system commands must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership

OL09-00-002504: OL 9 system commands must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account

OL09-00-002524: OL 9 library files must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership

OL09-00-002523: OL 9 library files must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

OL09-00-002521: OL 9 library directories must be owned by root.

Description: None

• medium

Automated: yes

• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership

OL09-00-002520: OL 9 library directories must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership

OL09-00-002571: OL 9 audit tools must be owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_ownership: Audit Tools Must Be Owned by Root

OL09-00-002570: OL 9 audit tools must be group-owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root

OL09-00-002582: OL 9 cron configuration files directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_deny: Verify Owner on cron.deny
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab

OL09-00-002581: OL 9 cron configuration files directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_deny: Verify Group Who Owns cron.deny
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab

OL09-00-002516: OL 9 world-writable directories must be owned by root, sys, bin, or an application user.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User

OL09-00-002510: A sticky bit must be set on all OL 9 public directories.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

OL09-00-002511: OL 9 local files and directories must have a valid group owner.

Description: None

• medium

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

OL09-00-002512: OL 9 local files and directories must have a valid owner.

Description: None

• medium

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

OL09-00-002500: OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Description: None

• medium

Automated: yes

• selinux_all_devicefiles_labeled: Ensure No Device Files are Unlabeled by SELinux

OL09-00-002583: OL 9 /etc/crontab file must have mode 0600.

Description: None

• medium

Automated: yes

• file_permissions_crontab: Verify Permissions on crontab

OL09-00-002555: OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_shadow: Verify Permissions on shadow File

OL09-00-000220: OL 9 must have the firewalld package installed.

Description: None

• medium

Automated: yes

• package_firewalld_installed: Install firewalld Package

OL09-00-000221: The firewalld service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

OL09-00-000224: A OL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Description: None

• medium

Automated: yes

• configured_firewalld_default_deny: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

OL09-00-000223: OL 9 must control remote access methods.

Description: None

• medium

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports

OL09-00-006000: OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.

Description: None

• medium

Automated: yes

• firewalld-backend: Configure Firewalld to Use the Nftables Backend

OL09-00-000222: OL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Description: None

• medium

Automated: yes

• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception

OL09-00-006004: OL 9 network interfaces must not be in promiscuous mode.

Description: None

• medium

Automated: yes

• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer

OL09-00-002430: OL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

Description: None

• medium

Automated: yes

• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler

OL09-00-000310: OL 9 must have the chrony package installed.

Description: None

• medium

Automated: yes

• package_chrony_installed: The Chrony package is installed

OL09-00-000311: OL 9 chronyd service must be enabled.

Description: None

• medium

Automated: yes

• service_chronyd_enabled: The Chronyd service is enabled

OL09-00-002323: OL 9 must securely compare internal information system clocks at least every 24 hours.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_server_directive: Ensure Chrony is only configured with the server directive
• var_multiple_time_servers = stig
• var_time_service_set_maxpoll = 18_hours

OL09-00-002320: OL 9 must disable the chrony daemon from acting as a server.

Description: None

• low

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server

OL09-00-002321: OL 9 must disable network management of the chrony daemon.

Description: None

• low

Automated: yes

• chronyd_no_chronyc_network: Disable network management of chrony daemon

OL09-00-006003: OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.

Description: None

• medium

Automated: yes

• network_configure_name_resolution: Configure Multiple DNS Servers in /etc/resolv.conf

OL09-00-006002: OL 9 must configure a DNS processing mode set be Network Manager.

Description: None

• medium

Automated: yes

• networkmanager_dns_mode: NetworkManager DNS Mode Must Be Must Configured
• var_networkmanager_dns_mode = none

OL09-00-006010: OL 9 must not have unauthorized IP tunnels configured.

Description: None

• medium

Automated: yes

• libreswan_approved_tunnels: Verify Any Configured IPSec Tunnel Connections

OL09-00-002425: OL 9 must be configured to prevent unrestricted mail relaying.

Description: None

• medium

Automated: yes

• postfix_prevent_unrestricted_relay: Prevent Unrestricted Mail Relaying

OL09-00-002426: If the Trivial File Transfer Protocol (TFTP) server is required, OL 9 TFTP daemon must be configured to operate in secure mode.

Description: None

• medium

Automated: yes

• tftpd_uses_secure_mode: Ensure tftp Daemon Uses Secure Mode

OL09-00-000815: OL 9 must forward mail from postmaster to the root account using a postfix alias.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias_postmaster: Configure System to Forward All Mail From Postmaster to The Root Account

OL09-00-000410: OL 9 libreswan package must be installed.

Description: None

• medium

Automated: yes

• package_libreswan_installed: Install libreswan Package

OL09-00-002419: There must be no shosts.equiv files on OL 9.

Description: None

• high

Automated: yes

• no_host_based_files: Remove Host-Based Authentication Files

OL09-00-002420: There must be no .shosts files on OL 9.

Description: None

• high

Automated: yes

• no_user_host_based_files: Remove User Host-Based Authentication Files

OL09-00-006050: OL 9 must be configured to use TCP syncookies.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

OL09-00-006020: OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces

OL09-00-006021: OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

OL09-00-006022: OL 9 must log IPv4 packets with impossible addresses.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

OL09-00-006023: OL 9 must log IPv4 packets with impossible addresses by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

OL09-00-006024: OL 9 must use reverse path filtering on all IPv4 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

OL09-00-006025: OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

OL09-00-006026: OL 9 must not forward IPv4 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

OL09-00-006027: OL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

OL09-00-006030: OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

OL09-00-006031: OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

OL09-00-006032: OL 9 must not send Internet Control Message Protocol (ICMP) redirects.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

OL09-00-006033: OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

OL09-00-006028: OL 9 must not enable IPv4 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_forwarding: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

OL09-00-006040: OL 9 must not accept router advertisements on all IPv6 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces

OL09-00-006041: OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces

OL09-00-006042: OL 9 must not forward IPv6 source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

OL09-00-006043: OL 9 must not enable IPv6 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

OL09-00-006044: OL 9 must not accept router advertisements on all IPv6 interfaces by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

OL09-00-006045: OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

OL09-00-006046: OL 9 must not forward IPv6 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

OL09-00-000250: OL 9 networked systems must have SSH installed.

Description: None

• medium

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package

OL09-00-000251: OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.

Description: None

• medium

Automated: yes

• service_sshd_enabled: Enable the OpenSSH Service

OL09-00-000260: OL 9 must have the openssh-clients package installed.

Description: None

• medium

Automated: yes

• package_openssh-clients_installed: Install OpenSSH client software

OL09-00-000256: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.

Description: None

• medium

Automated: yes

• sshd_enable_warning_banner: Enable SSH Warning Banner

OL09-00-002340: OL 9 must log SSH connection attempts and failures to the server.

Description: None

• medium

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

OL09-00-002355: OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.

Description: None

• medium

Automated: yes

• sshd_disable_compression: Disable Compression Or Set Compression to delayed
• var_sshd_disable_compression = no

OL09-00-002359: OL 9 SSHD must accept public key authentication.

Description: None

• medium

Automated: yes

• sshd_enable_pubkey_auth: Enable Public Key Authentication

OL09-00-002343: OL 9 SSHD must not allow blank passwords.

Description: None

• high

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

OL09-00-002345: OL 9 must not permit direct logons to the root account using remote access via SSH.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

OL09-00-002344: OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

Description: None

• high

Automated: yes

• sshd_enable_pam: Enable PAM

OL09-00-000261: OL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140 Validated Ciphers: openssh.config
• sshd_approved_ciphers = stig_ol9

OL09-00-000252: The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.

Description: None

• medium

Automated: yes

• file_sshd_50_redhat_exists: The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist
• sshd_include_crypto_policy: SSHD Must Include System Crypto Policy Config File

OL09-00-000254: OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_opensshserver_conf_crypto_policy: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config
• sshd_approved_ciphers = stig_ol9

OL09-00-000262: OL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: yes

• sshd_strong_macs = stig_ol9
• sshd_use_strong_macs: Use Only Strong MACs

OL09-00-000255: OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: no

No rules selected

OL09-00-002357: OL 9 must not allow a noncertificate trusted host SSH logon to the system.

Description: None

• medium

Automated: yes

• disable_host_auth: Disable Host-Based Authentication

OL09-00-002358: OL 9 must not allow users to override SSH environment variables.

Description: None

• medium

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

OL09-00-002342: OL 9 must force a frequent session key renegotiation for SSH connections to the server.

Description: None

• medium

Automated: yes

• sshd_rekey_limit: Force frequent session key renegotiation
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour

OL09-00-002346: OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_sshd_set_keepalive = 1

OL09-00-002347: OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_idle_timeout_value = 10_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval

OL09-00-002507: OL 9 SSH server configuration file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file

OL09-00-002508: OL 9 SSH server configuration file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_sshd_config: Verify Owner on SSH Server config file

OL09-00-002509: OL 9 SSH server configuration file must have mode 0600 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_config: Verify Permissions on SSH Server config file

OL09-00-002502: OL 9 SSH private host key files must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

OL09-00-002503: OL 9 SSH public host key files must have mode 0644 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

OL09-00-002341: OL 9 SSH daemon must not allow GSSAPI authentication.

Description: None

• medium

Automated: yes

• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

OL09-00-002356: OL 9 SSH daemon must not allow Kerberos authentication.

Description: None

• medium

Automated: yes

• sshd_disable_kerb_auth: Disable Kerberos Authentication

OL09-00-002348: OL 9 SSH daemon must not allow rhosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

OL09-00-002349: OL 9 SSH daemon must not allow known hosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

OL09-00-002350: OL 9 SSH daemon must disable remote X connections for interactive users.

Description: None

• medium

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

OL09-00-002351: OL 9 SSH daemon must perform strict mode checking of home directory configuration files.

Description: None

• medium

Automated: yes

• sshd_enable_strictmodes: Enable Use of Strict Mode Checking

OL09-00-002352: OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• medium

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

OL09-00-002354: OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.

Description: None

• medium

Automated: yes

• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display

OL09-00-002150: OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

OL09-00-002151: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: no

• dconf_gnome_login_banner_text: Set the GNOME3 Login Warning Banner Text
• login_banner_text = dod_default

OL09-00-002122: OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

OL09-00-002100: OL 9 must disable the graphical user interface automount function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

OL09-00-002120: OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

OL09-00-002101: OL 9 must disable the graphical user interface autorun function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

OL09-00-002121: OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

OL09-00-002161: OL 9 must not allow unattended or automatic logon via the graphical user interface.

Description: None

• high

Automated: yes

• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login

OL09-00-002160: OL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

OL09-00-002126: OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

OL09-00-002123: OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

OL09-00-002104: OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout

OL09-00-002124: OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings

OL09-00-002103: OL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period

OL09-00-002125: OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings

OL09-00-002106: OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_mode_blank: Implement Blank Screensaver

OL09-00-002162: OL 9 effective dconf policy must match the policy keyfiles.

Description: None

• medium

Automated: yes

• dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles

OL09-00-002127: OL 9 must disable the ability of a user to restart the system from the login screen.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

OL09-00-002128: OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

OL09-00-002107: OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

OL09-00-002129: OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

OL09-00-002102: OL 9 must disable the user list at logon for graphical user interfaces.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

OL09-00-000047: OL 9 must be configured to disable USB mass storage.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

OL09-00-000320: OL 9 must have the USBGuard package installed.

Description: None

• medium

Automated: yes

• package_usbguard_installed: Install usbguard Package

OL09-00-000321: OL 9 must have the USBGuard package enabled.

Description: None

• medium

Automated: yes

• service_usbguard_enabled: Enable the USBGuard Service

OL09-00-002330: OL 9 must enable Linux audit logging for the USBGuard daemon.

Description: None

• low

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit

OL09-00-002331: OL 9 must block unauthorized peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• usbguard_generate_policy: Generate USBGuard Policy

OL09-00-002332: OL 9 must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

OL09-00-000046: OL 9 Bluetooth must be disabled.

Description: None

• medium

Automated: yes

• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module

OL09-00-006001: OL 9 wireless network adapters must be disabled.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

OL09-00-001090: OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

OL09-00-001095: OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age

OL09-00-001100: OL 9 user account passwords must have a 60-day maximum password lifetime restriction.

Description: None

• medium

Automated: yes

• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 60

OL09-00-003052: OL 9 local interactive user accounts must be assigned a home directory upon creation.

Description: None

• medium

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

OL09-00-003060: OL 9 must set the umask value to 077 for all local interactive user accounts.

Description: None

• medium

Automated: yes

• accounts_umask_interactive_users: Ensure the Default Umask is Set Correctly For Interactive Users
• var_accounts_user_umask = 077

OL09-00-003001: OL 9 duplicate User IDs (UIDs) must not exist for interactive users.

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

OL09-00-003051: OL 9 system accounts must not have an interactive login shell.

Description: None

• medium

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

OL09-00-003030: OL 9 must automatically expire temporary accounts within 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

OL09-00-003005: OL 9 interactive users must have a primary group that exists.

Description: None

• medium

Automated: yes

• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

OL09-00-003065: OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity
• var_account_disable_post_pw_expiration = 35

OL09-00-003053: Executable search paths within the initialization files of all local interactive OL 9 users must only contain paths that resolve to the system default or the users home directory.

Description: None

• medium

Automated: yes

• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

OL09-00-003002: OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined

OL09-00-003050: OL 9 local interactive user home directories defined in the /etc/passwd file must exist.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

OL09-00-002514: OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.

Description: None

• medium

Automated: yes

• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

OL09-00-003020: OL 9 must automatically lock an account when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3

OL09-00-003021: OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts

OL09-00-002416: OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• var_accounts_passwords_pam_faillock_fail_interval = 900

OL09-00-002417: OL 9 must maintain an account lock until the locked account is released by an administrator.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_unlock_time = never

OL09-00-002501: OL 9 must not have unauthorized accounts.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
• var_accounts_authorized_local_users_regex = ol9

OL09-00-003000: The root account must be the only account having unrestricted access to OL 9 system.

Description: None

• high

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

OL09-00-003023: OL 9 must ensure account lockouts persist.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist

OL09-00-003006: OL 9 groups must have unique Group ID (GID).

Description: None

• medium

Automated: yes

• group_unique_id: Ensure All Groups on the System Have Unique Group ID

OL09-00-002422: OL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_exec_shield: Enable ExecShield via sysctl

OL09-00-002427: Local OL 9 initialization files must not execute world-writable programs.

Description: None

• medium

Automated: yes

• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

OL09-00-002411: OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 15_min

OL09-00-002415: OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

OL09-00-003022: OL 9 must log username information when unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_audit: Account Lockouts Must Be Logged

OL09-00-003070: OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs
• var_accounts_fail_delay = 4

OL09-00-002301: OL 9 must define default permissions for the bash shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly

OL09-00-002302: OL 9 must define default permissions for the c shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_csh_cshrc: Ensure the Default C Shell Umask is Set Correctly

OL09-00-002304: OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

OL09-00-002303: OL 9 must define default permissions for the system default profile.

Description: None

• medium

Automated: yes

• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile

OL09-00-000060: OL 9 must use a Linux Security Module configured to enforce limits on system services.

Description: None

• high

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

OL09-00-000065: OL 9 must enable the SELinux targeted policy.

Description: None

• medium

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

OL09-00-003010: OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

Description: None

• medium

Automated: yes

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory

OL09-00-000200: OL 9 must have policycoreutils package installed.

Description: None

• medium

Automated: yes

• package_policycoreutils_installed: Install policycoreutils Package

OL09-00-000210: OL 9 policycoreutils-python-utils package must be installed.

Description: None

• medium

Automated: yes

• package_policycoreutils-python-utils_installed: Install policycoreutils-python-utils package

OL09-00-000230: OL 9 must have the sudo package installed.

Description: None

• medium

Automated: yes

• package_sudo_installed: Install sudo Package

OL09-00-002360: OL 9 must require reauthentication when using the "sudo" command.

Description: None

• medium

Automated: yes

• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
• var_sudo_timestamp_timeout = always_prompt

OL09-00-000231: OL 9 must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• medium

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

OL09-00-002362: OL 9 must require users to reauthenticate for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

OL09-00-000232: OL 9 must restrict privilege elevation to authorized personnel.

Description: None

• medium

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

OL09-00-002361: OL 9 must restrict the use of the "su" command.

Description: None

• medium

Automated: yes

• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

OL09-00-000340: OL 9 fapolicy module must be installed.

Description: None

• medium

Automated: yes

• package_fapolicyd_installed: Install fapolicyd Package

OL09-00-000341: OL 9 fapolicy module must be enabled.

Description: None

• medium

Automated: yes

• service_fapolicyd_enabled: Enable the File Access Policy Service

OL09-00-001001: OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.

Description: None

• medium

Automated: yes

• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• var_password_pam_retry = 3

OL09-00-001110: OL 9 must not allow blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

OL09-00-003011: OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_system_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.

OL09-00-003012: OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_password_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.

OL09-00-001010: OL 9 must ensure the password complexity module is enabled in the password-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth

OL09-00-001000: OL 9 must ensure the password complexity module is enabled in the system-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth

OL09-00-001065: OL 9 password-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_password_auth: Set number of Password Hashing Rounds - password-auth
• var_password_pam_unix_rounds = 5000

OL09-00-001070: OL 9 system-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_system_auth: Set number of Password Hashing Rounds - system-auth

OL09-00-001045: OL 9 must enforce password complexity rules for the root account.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User

OL09-00-001015: OL 9 must enforce password complexity by requiring that at least one lowercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• var_password_pam_lcredit = 1

OL09-00-001020: OL 9 must enforce password complexity by requiring that at least one numeric character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• var_password_pam_dcredit = 1

OL09-00-001085: OL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age

OL09-00-001085: OL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

OL09-00-002363: OL 9 must require users to provide a password for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

OL09-00-001105: OL 9 passwords must be created with a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• var_password_pam_minlen = 15

OL09-00-001105: OL 9 passwords for new users must have a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs

OL09-00-001120: OL 9 must enforce password complexity by requiring that at least one special character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• var_password_pam_ocredit = 1

OL09-00-001125: OL 9 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
• var_password_pam_dictcheck = 1

OL09-00-001005: OL 9 must enforce password complexity by requiring that at least one uppercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_ucredit = 1

OL09-00-001025: OL 9 must require the change of at least eight characters when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters
• var_password_pam_difok = 8

OL09-00-001030: OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxclassrepeat: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
• var_password_pam_maxclassrepeat = 4

OL09-00-001035: OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters
• var_password_pam_maxrepeat = 3

OL09-00-001040: OL 9 must require the change of at least four character classes when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• var_password_pam_minclass = 4

OL09-00-001050: OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• var_password_hashing_algorithm_pam = sha512

OL09-00-001055: OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• var_password_hashing_algorithm = SHA512

OL09-00-002364: OL 9 must not be configured to bypass password requirements for privilege escalation.

Description: None

• medium

Automated: yes

• disallow_bypass_password_sudo: Disallow Configuration to Bypass Password Requirements for Privilege Escalation

OL09-00-001075: OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

OL09-00-001130: OL 9 must not have accounts configured with blank or null passwords.

Description: None

• medium

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

OL09-00-000940: OL 9 must use the CAC smart card driver.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• var_smartcard_drivers = cac

OL09-00-000925: OL 9 must enable certificate based smart card authentication.

Description: None

• medium

Automated: yes

• sssd_enable_smartcards: Enable Smartcards in SSSD

OL09-00-000930: OL 9 must implement certificate status checking for multifactor authentication.

Description: None

• medium

Automated: yes

• sssd_certificate_verification: Certificate status checking in SSSD
• var_sssd_certificate_verification_digest_function = sha512

OL09-00-000390: OL 9 must have the pcsc-lite package installed.

Description: None

• medium

Automated: yes

• package_pcsc-lite_installed: Install the pcsc-lite package

OL09-00-000401: The pcscd service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_pcscd_enabled: Enable the pcscd Service

OL09-00-000400: OL 9 must have the opensc package installed.

Description: None

• medium

Automated: yes

• package_opensc_installed: Install the opensc Package For Multifactor Authentication

OL09-00-000905: OL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: yes

• ssh_keys_passphrase_protected: Verify the SSH Private Key Files Have a Passcode

OL09-00-000025: OL 9 must require authentication to access emergency mode.

Description: None

• medium

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

OL09-00-000030: OL 9 must require authentication to access single-user mode.

Description: None

• medium

Automated: yes

• require_singleuser_auth: Require Authentication for Single User Mode

OL09-00-000900: OL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: yes

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

OL09-00-000910: OL 9 must map the authenticated identity to the user or group account for PKI-based authentication.

Description: None

• medium

Automated: yes

• sssd_enable_certmap: Enable Certmap in SSSD

OL09-00-000935: OL 9 must prohibit the use of cached authenticators after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

OL09-00-000300: OL 9 must have the AIDE package installed.

Description: None

• medium

Automated: yes

• package_aide_installed: Install AIDE

OL09-00-000301: OL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

OL09-00-000302: OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.

Description: None

• medium

Automated: yes

• aide_use_fips_hashes: Configure AIDE to Use FIPS 140-2 for Validating Hashes

OL09-00-000710: OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.

Description: None

• medium

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

OL09-00-000303: OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).

Description: None

• low

Automated: yes

• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)

OL09-00-000304: OL 9 must be configured so that the file integrity tool verifies extended attributes.

Description: None

• low

Automated: yes

• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes

OL09-00-000350: OL 9 must have the rsyslog package installed.

Description: None

• medium

Automated: yes

• package_rsyslog_installed: Ensure rsyslog is Installed

OL09-00-000355: OL 9 must have the packages required for encrypting offloaded audit logs installed.

Description: None

• medium

Automated: yes

• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed

OL09-00-000351: The rsyslog service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

OL09-00-005030: OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

Description: None

• medium

Automated: yes

• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

OL09-00-005000: OL 9 remote access methods must be monitored.

Description: None

• medium

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog

OL09-00-000855: OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.

Description: None

• medium

Automated: yes

• auditd_audispd_syslog_plugin_activated: Configure auditd to use audispd's syslog plugin

OL09-00-005015: OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records

OL09-00-005020: OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records

OL09-00-005025: OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records

OL09-00-005005: OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

OL09-00-005010: OL 9 must use cron logging.

Description: None

• medium

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

OL09-00-000440: OL 9 audit package must be installed.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed

OL09-00-000441: OL 9 audit service must be enabled.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

OL09-00-000760: OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action_stig: Configure auditd Disk Error Action on Disk Error
• var_auditd_disk_error_action = halt

OL09-00-000765: OL 9 audit system must take appropriate action when the audit storage volume is full.

Description: None

• medium

Automated: yes

• auditd_data_disk_full_action_stig: Configure auditd Disk Full Action when Disk Space Is Full
• var_auditd_disk_full_action = halt

OL09-00-000850: OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs

OL09-00-000865: OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space
• var_auditd_space_left_percentage = 25pc

OL09-00-000870: OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• var_auditd_space_left_action = email

OL09-00-000875: OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• var_auditd_admin_space_left_percentage = 5pc

OL09-00-000875: OL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = halt

OL09-00-000770: OL 9 audit system must take appropriate action when the audit files have reached maximum size.

Description: None

• medium

Automated: yes

• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_auditd_max_log_file_action = rotate

OL09-00-000755: OL 9 must label all offloaded audit logs before sending them to the central log server.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• var_auditd_name_format = stig

OL09-00-000860: OL 9 must take appropriate action when the internal event queue is full.

Description: None

• medium

Automated: yes

• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

OL09-00-000825: OL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

Description: None

• medium

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
• var_auditd_action_mail_acct = root

OL09-00-000800: OL 9 audit system must audit local events.

Description: None

• medium

Automated: yes

• auditd_local_events: Include Local Events in Audit Logs

OL09-00-000785: OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root

OL09-00-000790: OL 9 audit log directory must be owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root

OL09-00-000795: OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.

Description: None

• medium

Automated: yes

• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

OL09-00-000775: OL 9 must periodically flush audit records to disk to prevent the loss of audit records.

Description: None

• medium

Automated: yes

• auditd_freq: Set number of records to cause an explicit flush to audit logs
• var_auditd_freq = 100

OL09-00-000835: OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.

Description: None

• medium

Automated: yes

• auditd_log_format: Resolve information before writing to audit logs

OL09-00-000880: OL 9 must write audit records to disk.

Description: None

• medium

Automated: yes

• auditd_write_logs: Write Audit Logs to the Disk

OL09-00-000885: OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = single

OL09-00-000805: OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_rulesd: Verify Permissions on /etc/audit/rules.d/*.rules

OL09-00-000810: OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_auditd: Verify Permissions on /etc/audit/auditd.conf

OL09-00-000830: OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

OL09-00-002405: OL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

OL09-00-000450: OL 9 audispd-plugins package must be installed.

Description: None

• medium

Automated: yes

• package_audispd-plugins_installed: Install audispd-plugins Package

OL09-00-000715: OL 9 must audit uses of the "execve" system call.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

OL09-00-000640: OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat

OL09-00-000645: OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

OL09-00-000545: OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

OL09-00-000705: OL 9 must audit all uses of umount system calls.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount

OL09-00-000665: OL 9 must audit all uses of the chacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chacl: Record Any Attempts to Run chacl

OL09-00-000560: OL 9 must audit all uses of the setfacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

OL09-00-000555: OL 9 must audit all uses of the chcon command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon

OL09-00-000650: OL 9 must audit all uses of the semanage command.

Description: None

• medium

Automated: yes

• audit_rules_execution_semanage: Record Any Attempts to Run semanage

OL09-00-000655: OL 9 must audit all uses of the setfiles command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles

OL09-00-000660: OL 9 must audit all uses of the setsebool command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

OL09-00-000680: OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

Description: None

• medium

Automated: yes

• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

OL09-00-000635: OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

OL09-00-000685: OL 9 must audit all uses of the delete_module system call.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module

OL09-00-000690: OL 9 must audit all uses of the init_module and finit_module system calls.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module

OL09-00-000550: OL 9 must audit all uses of the chage command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

OL09-00-000565: OL 9 must audit all uses of the chsh command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

OL09-00-000570: OL 9 must audit all uses of the crontab command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

OL09-00-000575: OL 9 must audit all uses of the gpasswd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

OL09-00-000695: OL 9 must audit all uses of the kmod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

OL09-00-000580: OL 9 must audit all uses of the newgrp command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

OL09-00-000585: OL 9 must audit all uses of the pam_timestamp_check command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

OL09-00-000590: OL 9 must audit all uses of the passwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd

OL09-00-000595: OL 9 must audit all uses of the postdrop command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

OL09-00-000600: OL 9 must audit all uses of the postqueue command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

OL09-00-000605: OL 9 must audit all uses of the ssh-agent command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

OL09-00-000610: OL 9 must audit all uses of the ssh-keysign command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

OL09-00-000540: OL 9 must audit all uses of the su command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su

OL09-00-000670: OL 9 must audit all uses of the sudo command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

OL09-00-000615: OL 9 must audit all uses of the sudoedit command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

OL09-00-000620: OL 9 must audit all uses of the unix_chkpwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

OL09-00-000535: OL 9 must audit all uses of the unix_update command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

OL09-00-000625: OL 9 must audit all uses of the userhelper command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

OL09-00-000675: OL 9 must audit all uses of the usermod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

OL09-00-000630: OL 9 must audit all uses of the mount command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount

OL09-00-000730: Successful/unsuccessful uses of the init command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_init: Ensure auditd Collects Information on the Use of Privileged Commands - init

OL09-00-000735: Successful/unsuccessful uses of the poweroff command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_poweroff: Ensure auditd Collects Information on the Use of Privileged Commands - poweroff

OL09-00-000740: Successful/unsuccessful uses of the reboot command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_reboot: Ensure auditd Collects Information on the Use of Privileged Commands - reboot

OL09-00-000745: Successful/unsuccessful uses of the shutdown command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_shutdown: Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

OL09-00-000840: Successful/unsuccessful uses of the umount system call in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount

OL09-00-000845: Successful/unsuccessful uses of the umount2 system call in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2

OL09-00-000500: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers

OL09-00-000505: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

Description: None

• medium

Automated: yes

• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

OL09-00-000510: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group

OL09-00-000515: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow

OL09-00-000520: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

OL09-00-000525: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

OL09-00-000530: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

OL09-00-000720: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock

OL09-00-000700: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

OL09-00-000725: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

OL09-00-000820: OL 9 must take appropriate action when a critical audit processing failure occurs.

Description: None

• medium

Automated: yes

• audit_rules_system_shutdown: Shutdown System When Auditing Failures Occur

OL09-00-008000: OL 9 audit system must protect logon UIDs from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable_login_uids: Configure immutable Audit login UIDs

OL09-00-008005: OL 9 audit system must protect auditing rules from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

OL09-00-000070: OL 9 must enable FIPS mode.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1
• var_system_crypto_policy = fips

OL09-00-001080: OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.

Description: None

• medium

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512

OL09-00-002404: OL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.

Description: None

• medium

Automated: yes

• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy

OL09-00-001060: OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• var_password_hashing_algorithm_pam = sha512

OL09-00-000240: OL 9 must have the crypto-policies package installed.

Description: None

• medium

Automated: yes

• package_crypto-policies_installed: Install crypto-policies package

OL09-00-000243: OL 9 must be configured so that the cryptographic hashes of system files match vendor values.

Description: None

• medium

Automated: yes

• rpm_verify_hashes: Verify File Hashes with RPM

OL09-00-000244: OL 9 crypto policy files must match files shipped with the operating system.

Description: None

• high

Automated: no

No rules selected

OL09-00-000242: OL 9 crypto policy must not be overridden.

Description: None

• medium

Automated: no

No rules selected

OL09-00-002424: OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Description: None

• medium

Automated: yes

• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy

OL09-00-000241: OL 9 must implement a system-wide encryption policy.

Description: None

• medium

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

OL09-00-002421: OL 9 must implement DOD-approved encryption in the bind package.

Description: None

• medium

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy

OL09-00-900140: OL 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to OL 9.

Description: None

• medium

Automated: no

• only_allow_dod_certs: Only Allow DoD PKI-established CAs