Definition of Oracle Linux 9 Security Technical Implementation Guide for ol9

needed_rules: None

Description: None

• medium

Automated: no

• enable_authselect: Enable authselect
• var_authselect_profile = sssd

211010: OL 9 must be a vendor-supported release.

Description: None

• high

Automated: yes

• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported

211015: OL 9 vendor packaged system security patches and updates must be installed and up to date.

Description: None

• medium

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

211020: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = dod_banners

211025: OL 9 must implement the Endpoint Security for Linux Threat Prevention tool.

Description: None

• medium

Automated: yes

• agent_mfetpd_running: Ensure McAfee Endpoint Security for Linux (ENSL) is running
• package_mcafeetp_installed: Install McAfee Endpoint Security for Linux (ENSL)

211030: The graphical display manager must not be the default target on OL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_runlevel_target: Disable X Windows Startup By Setting Default Target

211035: OL 9 must enable the hardware random number generator entropy gatherer service.

Description: None

• low

Automated: no

No rules selected

211040: OL 9 systemd-journald service must be enabled.

Description: None

• medium

Automated: yes

• service_systemd-journald_enabled: Enable systemd-journald Service

211045: The systemd Ctrl-Alt-Delete burst key sequence in OL 9 must be disabled.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action

211050: The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 9.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

211055: OL 9 debug-shell systemd service must be disabled.

Description: None

• medium

Automated: yes

• service_debug-shell_disabled: Disable debug-shell SystemD Service

212010: OL 9 must require a boot loader superuser password.

Description: None

• medium

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

212015: OL 9 must disable the ability of systemd to spawn an interactive boot process.

Description: None

• medium

Automated: yes

• grub2_disable_interactive_boot: Verify that Interactive Boot is Disabled

212020: OL 9 must require a unique superusers name upon booting into single-user and maintenance modes.

Description: None

• high

Automated: yes

• grub2_admin_username: Set the Boot Loader Admin Username to a Non-Default Value

212025: OL 9 /boot/grub2/grub.cfg file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership

212030: OL 9 /boot/grub2/grub.cfg file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership

212035: OL 9 must disable virtual system calls.

Description: None

• medium

Automated: yes

• grub2_vsyscall_argument: Disable vsyscalls

212040: OL 9 must clear the page allocator to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_page_poison_argument: Enable page allocator poisoning

212045: OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning

212050: OL 9 must enable mitigations against processor-based vulnerabilities.

Description: None

• low

Automated: yes

• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)

212055: OL 9 must enable auditing of processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

213010: OL 9 must restrict access to the kernel message buffer.

Description: None

• medium

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

213015: OL 9 must prevent kernel profiling by nonprivileged users.

Description: None

• medium

Automated: yes

• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

213020: OL 9 must prevent the loading of a new kernel for later execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading

213025: OL 9 must restrict exposed kernel pointer addresses access.

Description: None

• medium

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

213030: OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks

213035: OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

213040: OL 9 must disable the kernel.core_pattern.

Description: None

• medium

Automated: yes

• sysctl_kernel_core_pattern: Disable storing core dumps

213045: OL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.

Description: None

• medium

Automated: yes

• kernel_module_atm_disabled: Disable ATM Support

213050: OL 9 must be configured to disable the Controller Area Network kernel module.

Description: None

• medium

Automated: yes

• kernel_module_can_disabled: Disable CAN Support

213055: OL 9 must be configured to disable the FireWire kernel module.

Description: None

• medium

Automated: yes

• kernel_module_firewire-core_disabled: Disable IEEE 1394 (FireWire) Support

213060: OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support

213065: OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_tipc_disabled: Disable TIPC Support

213070: OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

213075: OL 9 must disable access to network bpf system call from nonprivileged processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes

213080: OL 9 must restrict usage of ptrace to descendant processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

213085: OL 9 must disable core dump backtraces.

Description: None

• medium

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces

213090: OL 9 must disable storing core dumps.

Description: None

• medium

Automated: yes

• coredump_disable_storage: Disable storing core dump

213095: OL 9 must disable core dumps for all users.

Description: None

• medium

Automated: yes

• disable_users_coredumps: Disable Core Dumps for All Users

213100: OL 9 must disable acquiring, saving, and processing core dumps.

Description: None

• medium

Automated: yes

• service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps

213105: OL 9 must disable the use of user namespaces.

Description: None

• medium

Automated: yes

• sysctl_user_max_user_namespaces: Disable the use of user namespaces

213115: The kdump service on OL 9 must be disabled.

Description: None

• medium

Automated: yes

• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)

214010: OL 9 must ensure cryptographic verification of vendor software packages.

Description: None

• medium

Automated: yes

• ensure_oracle_gpgkey_installed: Ensure Oracle Linux GPG Key Installed

214015: OL 9 must check the GPG signature of software packages originating from external software repositories before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main yum Configuration

214020: OL 9 must check the GPG signature of locally installed software packages before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages

214025: OL 9 must have GPG signature verification enabled for all software repositories.

Description: None

• high

Automated: yes

• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All yum Package Repositories

214030: OL 9 must be configured so that the cryptographic hashes of system files match vendor values.

Description: None

• medium

Automated: no

No rules selected

214035: OL 9 must remove all software components after updated versions have been installed.

Description: None

• low

Automated: yes

• clean_components_post_updating: Ensure yum Removes Previous Package Versions

215015: OL 9 must not have a File Transfer Protocol (FTP) server package installed.

Description: None

• high

Automated: yes

• package_vsftpd_removed: Uninstall vsftpd Package

215020: OL 9 must not have the sendmail package installed.

Description: None

• medium

Automated: yes

• package_sendmail_removed: Uninstall Sendmail Package

215025: OL 9 must not have the nfs-utils package installed.

Description: None

• medium

Automated: yes

• package_nfs-utils_removed: Uninstall nfs-utils Package

215035: OL 9 must not have the rsh-server package installed.

Description: None

• medium

Automated: yes

• package_rsh-server_removed: Uninstall rsh-server Package

215040: OL 9 must not have the telnet-server package installed.

Description: None

• medium

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

215045: OL 9 must not have the gssproxy package installed.

Description: None

• medium

Automated: yes

• package_gssproxy_removed: Uninstall gssproxy Package

215050: OL 9 must not have the iprutils package installed.

Description: None

• medium

Automated: yes

• package_iprutils_removed: Uninstall iprutils Package

215055: OL 9 must not have the tuned package installed.

Description: None

• medium

Automated: yes

• package_tuned_removed: Uninstall tuned Package

215060: OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.

Description: None

• high

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package

215065: OL 9 must not have the quagga package installed.

Description: None

• medium

Automated: yes

• package_quagga_removed: Uninstall quagga Package

215070: A graphical display manager must not be installed on OL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_remove_packages: Disable graphical user interface

215075: OL 9 must have the openssl-pkcs11 package installed.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

215080: OL 9 must have the gnutls-utils package installed.

Description: None

• medium

Automated: yes

• package_gnutls-utils_installed: Ensure gnutls-utils is installed

215085: OL 9 must have the nss-tools package installed.

Description: None

• medium

Automated: yes

• package_nss-tools_installed: Ensure nss-tools is installed

215090: OL 9 must have the rng-tools package installed.

Description: None

• medium

Automated: yes

• package_rng-tools_installed: Install rng-tools Package

215095: OL 9 must have the s-nail package installed.

Description: None

• medium

Automated: yes

• package_s-nail_installed: The s-nail Package Is Installed

231010: A separate OL 9 file system must be used for user home directories (such as /home or an equivalent).

Description: None

• medium

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

231015: OL 9 must use a separate file system for /tmp.

Description: None

• medium

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

231020: OL 9 must use a separate file system for /var.

Description: None

• low

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

231025: OL 9 must use a separate file system for /var/log.

Description: None

• low

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

231030: OL 9 must use a separate file system for the system audit data path.

Description: None

• low

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

231035: OL 9 must use a separate file system for /var/tmp.

Description: None

• medium

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

231040: OL 9 file system automount function must be disabled unless required.

Description: None

• medium

Automated: yes

• service_autofs_disabled: Disable the Automounter

231045: OL 9 must prevent device files from being interpreted on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nodev: Add nodev Option to /home

231050: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

231055: OL 9 must prevent code from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_noexec: Add noexec Option to /home

231060: OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.

Description: None

• medium

Automated: yes

• mount_option_krb_sec_remote_filesystems: Mount Remote Filesystems with Kerberos Security

231065: OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nodev_remote_filesystems: Mount Remote Filesystems with nodev

231070: OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec

231075: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid

231080: OL 9 must prevent code from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

231085: OL 9 must prevent special devices on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions

231090: OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

231095: OL 9 must mount /boot with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_boot_nodev: Add nodev Option to /boot

231100: OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.

Description: None

• medium

Automated: yes

• mount_option_boot_nosuid: Add nosuid Option to /boot

231105: OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

Description: None

• medium

Automated: yes

• mount_option_boot_efi_nosuid: Add nosuid Option to /boot/efi

231110: OL 9 must mount /dev/shm with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

231115: OL 9 must mount /dev/shm with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

231120: OL 9 must mount /dev/shm with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

231125: OL 9 must mount /tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp

231130: OL 9 must mount /tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_tmp_noexec: Add noexec Option to /tmp

231135: OL 9 must mount /tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nosuid: Add nosuid Option to /tmp

231140: OL 9 must mount /var with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_nodev: Add nodev Option to /var

231145: OL 9 must mount /var/log with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log

231150: OL 9 must mount /var/log with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_noexec: Add noexec Option to /var/log

231155: OL 9 must mount /var/log with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nosuid: Add nosuid Option to /var/log

231160: OL 9 must mount /var/log/audit with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

231165: OL 9 must mount /var/log/audit with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

231170: OL 9 must mount /var/log/audit with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

231175: OL 9 must mount /var/tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

231180: OL 9 must mount /var/tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

231185: OL 9 must mount /var/tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

231190: OL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

231195: OL 9 must disable mounting of cramfs.

Description: None

• low

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

231200: OL 9 must prevent special devices on non-root local partitions.

Description: None

• medium

Automated: yes

• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions

232010: OL 9 system commands must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions

232015: OL 9 library directories must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions

232020: OL 9 library files must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions

232025: OL 9 /var/log directory must have mode 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log: Verify Permissions on /var/log Directory

232030: OL 9 /var/log/messages file must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log_messages: Verify Permissions on /var/log/messages File

232035: OL 9 audit tools must have a mode of 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

232040: OL 9 cron configuration directories must have a mode of 0700 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly

232045: All OL 9 local initialization files must have mode 0740 or less permissive.

Description: None

• medium

Automated: yes

• file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

232050: All OL 9 local interactive user home directories must have mode 0750 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

232055: OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_group: Verify Permissions on group File

232060: OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_group: Verify Permissions on Backup group File

232065: OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_gshadow: Verify Permissions on gshadow File

232070: OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File

232075: OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_passwd: Verify Permissions on passwd File

232080: OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File

232085: OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File

232090: OL 9 /etc/group file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_group: Verify User Who Owns group File

232095: OL 9 /etc/group file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_group: Verify Group Who Owns group File

232100: OL 9 /etc/group- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_group: Verify User Who Owns Backup group File

232105: OL 9 /etc/group- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File

232110: OL 9 /etc/gshadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_gshadow: Verify User Who Owns gshadow File

232115: OL 9 /etc/gshadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File

232120: OL 9 /etc/gshadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File

232125: OL 9 /etc/gshadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File

232130: OL 9 /etc/passwd file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_passwd: Verify User Who Owns passwd File

232135: OL 9 /etc/passwd file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_passwd: Verify Group Who Owns passwd File

232140: OL 9 /etc/passwd- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File

232145: OL 9 /etc/passwd- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File

232150: OL 9 /etc/shadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_shadow: Verify User Who Owns shadow File

232155: OL 9 /etc/shadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_shadow: Verify Group Who Owns shadow File

232160: OL 9 /etc/shadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File

232165: OL 9 /etc/shadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File

232170: OL 9 /var/log directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log: Verify User Who Owns /var/log Directory

232175: OL 9 /var/log directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log: Verify Group Who Owns /var/log Directory

232180: OL 9 /var/log/messages file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log_messages: Verify User Who Owns /var/log/messages File

232185: OL 9 /var/log/messages file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log_messages: Verify Group Who Owns /var/log/messages File

232190: OL 9 system commands must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership

232195: OL 9 system commands must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account

232200: OL 9 library files must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership

232205: OL 9 library files must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

232210: OL 9 library directories must be owned by root.

Description: None

• medium

Automated: yes

• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership

232215: OL 9 library directories must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership

232220: OL 9 audit tools must be owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_ownership: Audit Tools Must Be Owned by Root

232225: OL 9 audit tools must be group-owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root

232230: OL 9 cron configuration files directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_deny: Verify Owner on cron.deny
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab

232235: OL 9 cron configuration files directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_deny: Verify Group Who Owns cron.deny
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab

232240: All OL 9 world-writable directories must be owned by root, sys, bin, or an application user.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User

232245: A sticky bit must be set on all OL 9 public directories.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

232250: All OL 9 local files and directories must have a valid group owner.

Description: None

• medium

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

232255: All OL 9 local files and directories must have a valid owner.

Description: None

• medium

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

232260: OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Description: None

• medium

Automated: yes

• selinux_all_devicefiles_labeled: Ensure No Device Files are Unlabeled by SELinux

232265: OL 9 /etc/crontab file must have mode 0600.

Description: None

• medium

Automated: yes

• file_permissions_crontab: Verify Permissions on crontab

232270: OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_shadow: Verify Permissions on shadow File

251010: OL 9 must have the firewalld package installed.

Description: None

• medium

Automated: yes

• package_firewalld_installed: Install firewalld Package

251015: The firewalld service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

251020: A OL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Description: None

• medium

Automated: yes

• configured_firewalld_default_deny: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

251025: OL 9 must control remote access methods.

Description: None

• medium

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports

251030: OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.

Description: None

• medium

Automated: yes

• firewalld-backend: Configure Firewalld to Use the Nftables Backend

251035: OL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Description: None

• medium

Automated: yes

• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception

251040: OL 9 network interfaces must not be in promiscuous mode.

Description: None

• medium

Automated: yes

• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer

251045: OL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

Description: None

• medium

Automated: yes

• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler

252010: OL 9 must have the chrony package installed.

Description: None

• medium

Automated: yes

• package_chrony_installed: The Chrony package is installed

252015: OL 9 chronyd service must be enabled.

Description: None

• medium

Automated: yes

• service_chronyd_enabled: The Chronyd service is enabled

252020: OL 9 must securely compare internal information system clocks at least every 24 hours.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_server_directive: Ensure Chrony is only configured with the server directive
• var_multiple_time_servers = stig
• var_time_service_set_maxpoll = 18_hours

252025: OL 9 must disable the chrony daemon from acting as a server.

Description: None

• low

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server

252030: OL 9 must disable network management of the chrony daemon.

Description: None

• low

Automated: yes

• chronyd_no_chronyc_network: Disable network management of chrony daemon

252035: OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.

Description: None

• medium

Automated: yes

• network_configure_name_resolution: Configure Multiple DNS Servers in /etc/resolv.conf

252040: OL 9 must configure a DNS processing mode set be Network Manager.

Description: None

• medium

Automated: yes

• networkmanager_dns_mode: NetworkManager DNS Mode Must Be Must Configured
• var_networkmanager_dns_mode = none

252045: OL 9 must not have unauthorized IP tunnels configured.

Description: None

• medium

Automated: yes

• libreswan_approved_tunnels: Verify Any Configured IPSec Tunnel Connections

252050: OL 9 must be configured to prevent unrestricted mail relaying.

Description: None

• medium

Automated: yes

• postfix_prevent_unrestricted_relay: Prevent Unrestricted Mail Relaying

252055: If the Trivial File Transfer Protocol (TFTP) server is required, OL 9 TFTP daemon must be configured to operate in secure mode.

Description: None

• medium

Automated: yes

• tftpd_uses_secure_mode: Ensure tftp Daemon Uses Secure Mode

252060: OL 9 must forward mail from postmaster to the root account using a postfix alias.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias_postmaster: Configure System to Forward All Mail From Postmaster to The Root Account

252065: OL 9 libreswan package must be installed.

Description: None

• medium

Automated: yes

• package_libreswan_installed: Install libreswan Package

252070: There must be no shosts.equiv files on OL 9.

Description: None

• high

Automated: yes

• no_host_based_files: Remove Host-Based Authentication Files

252075: There must be no .shosts files on OL 9.

Description: None

• high

Automated: yes

• no_user_host_based_files: Remove User Host-Based Authentication Files

253010: OL 9 must be configured to use TCP syncookies.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

253015: OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces

253020: OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

253025: OL 9 must log IPv4 packets with impossible addresses.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

253030: OL 9 must log IPv4 packets with impossible addresses by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

253035: OL 9 must use reverse path filtering on all IPv4 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

253040: OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

253045: OL 9 must not forward IPv4 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

253050: OL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

253055: OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

253060: OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

253065: OL 9 must not send Internet Control Message Protocol (ICMP) redirects.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

253070: OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

253075: OL 9 must not enable IPv4 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_forwarding: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

254010: OL 9 must not accept router advertisements on all IPv6 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces

254015: OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces

254020: OL 9 must not forward IPv6 source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

254025: OL 9 must not enable IPv6 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

254030: OL 9 must not accept router advertisements on all IPv6 interfaces by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

254035: OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

254040: OL 9 must not forward IPv6 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

255010: All OL 9 networked systems must have SSH installed.

Description: None

• medium

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package

255015: All OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.

Description: None

• medium

Automated: yes

• service_sshd_enabled: Enable the OpenSSH Service

255020: OL 9 must have the openssh-clients package installed.

Description: None

• medium

Automated: yes

• package_openssh-clients_installed: Install OpenSSH client software

255025: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.

Description: None

• medium

Automated: yes

• sshd_enable_warning_banner: Enable SSH Warning Banner

255030: OL 9 must log SSH connection attempts and failures to the server.

Description: None

• medium

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

255035: OL 9 SSHD must accept public key authentication.

Description: None

• medium

Automated: yes

• sshd_enable_pubkey_auth: Enable Public Key Authentication

255040: OL 9 SSHD must not allow blank passwords.

Description: None

• high

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

255045: OL 9 must not permit direct logons to the root account using remote access via SSH.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

255050: OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

Description: None

• high

Automated: yes

• sshd_enable_pam: Enable PAM

255060: OL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
• sshd_approved_ciphers = stig_ol9

255070: OL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: no

No rules selected

255075: OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: no

No rules selected

255080: OL 9 must not allow a noncertificate trusted host SSH logon to the system.

Description: None

• medium

Automated: yes

• disable_host_auth: Disable Host-Based Authentication

255085: OL 9 must not allow users to override SSH environment variables.

Description: None

• medium

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

255090: OL 9 must force a frequent session key renegotiation for SSH connections to the server.

Description: None

• medium

Automated: yes

• sshd_rekey_limit: Force frequent session key renegotiation
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour

255095: OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_sshd_set_keepalive = 1

255100: OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_idle_timeout_value = 10_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval

255105: OL 9 SSH server configuration file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file

255110: OL 9 SSH server configuration file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_sshd_config: Verify Owner on SSH Server config file

255115: OL 9 SSH server configuration file must have mode 0600 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_config: Verify Permissions on SSH Server config file

255120: OL 9 SSH private host key files must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

255125: OL 9 SSH public host key files must have mode 0644 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

255135: OL 9 SSH daemon must not allow GSSAPI authentication.

Description: None

• medium

Automated: yes

• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

255140: OL 9 SSH daemon must not allow Kerberos authentication.

Description: None

• medium

Automated: yes

• sshd_disable_kerb_auth: Disable Kerberos Authentication

255145: OL 9 SSH daemon must not allow rhosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

255150: OL 9 SSH daemon must not allow known hosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

255155: OL 9 SSH daemon must disable remote X connections for interactive users.

Description: None

• medium

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

255160: OL 9 SSH daemon must perform strict mode checking of home directory configuration files.

Description: None

• medium

Automated: yes

• sshd_enable_strictmodes: Enable Use of Strict Mode Checking

255165: OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• medium

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

255175: OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.

Description: None

• medium

Automated: yes

• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display

271010: OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

271015: OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

271020: OL 9 must disable the graphical user interface automount function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

271025: OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

271030: OL 9 must disable the graphical user interface autorun function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

271035: OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

271040: OL 9 must not allow unattended or automatic logon via the graphical user interface.

Description: None

• high

Automated: yes

• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login

271045: OL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

271050: OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

271055: OL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

271060: OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

271065: OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout

271070: OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings

271075: OL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period

271080: OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings

271085: OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_mode_blank: Implement Blank Screensaver

271090: OL 9 effective dconf policy must match the policy keyfiles.

Description: None

• medium

Automated: yes

• dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles

271095: OL 9 must disable the ability of a user to restart the system from the login screen.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

271100: OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

271105: OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

271110: OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

271115: OL 9 must disable the user list at logon for graphical user interfaces.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

291010: OL 9 must be configured to disable USB mass storage.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

291015: OL 9 must have the USBGuard package installed.

Description: None

• medium

Automated: yes

• package_usbguard_installed: Install usbguard Package

291020: OL 9 must have the USBGuard package enabled.

Description: None

• medium

Automated: yes

• service_usbguard_enabled: Enable the USBGuard Service

291025: OL 9 must enable Linux audit logging for the USBGuard daemon.

Description: None

• low

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit

291030: OL 9 must block unauthorized peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• usbguard_generate_policy: Generate USBGuard Policy

291035: OL 9 Bluetooth must be disabled.

Description: None

• medium

Automated: yes

• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module

291040: OL 9 wireless network adapters must be disabled.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

411010: OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age

411015: OL 9 user account passwords must have a 60-day maximum password lifetime restriction.

Description: None

• medium

Automated: yes

• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 60

411020: All OL 9 local interactive user accounts must be assigned a home directory upon creation.

Description: None

• medium

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

411025: OL 9 must set the umask value to 077 for all local interactive user accounts.

Description: None

• medium

Automated: yes

• accounts_umask_interactive_users: Ensure the Default Umask is Set Correctly For Interactive Users
• var_accounts_user_umask = 077

411030: OL 9 duplicate User IDs (UIDs) must not exist for interactive users.

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

411035: OL 9 system accounts must not have an interactive login shell.

Description: None

• medium

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

411040: OL 9 must automatically expire temporary accounts within 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

411045: All OL 9 interactive users must have a primary group that exists.

Description: None

• medium

Automated: yes

• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

411050: OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity
• var_account_disable_post_pw_expiration = 35

411055: Executable search paths within the initialization files of all local interactive OL 9 users must only contain paths that resolve to the system default or the users home directory.

Description: None

• medium

Automated: yes

• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

411060: All OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined

411065: All OL 9 local interactive user home directories defined in the /etc/passwd file must exist.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

411070: All OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.

Description: None

• medium

Automated: yes

• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

411075: OL 9 must automatically lock an account when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3

411080: OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts

411085: OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• var_accounts_passwords_pam_faillock_fail_interval = 900

411090: OL 9 must maintain an account lock until the locked account is released by an administrator.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_unlock_time = never

411095: OL 9 must not have unauthorized accounts.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
• var_accounts_authorized_local_users_regex = ol9

411100: The root account must be the only account having unrestricted access to OL 9 system.

Description: None

• high

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

411105: OL 9 must ensure account lockouts persist.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist

411110: OL 9 groups must have unique Group ID (GID).

Description: None

• medium

Automated: yes

• group_unique_id: Ensure All Groups on the System Have Unique Group ID

411115: Local OL 9 initialization files must not execute world-writable programs.

Description: None

• medium

Automated: yes

• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

412010: OL 9 must have the tmux package installed.

Description: None

• medium

Automated: yes

• package_tmux_installed: Install the tmux Package

412015: OL 9 must ensure session control is automatically started at shell initialization.

Description: None

• medium

Automated: yes

• configure_bashrc_tmux: Support session locking with tmux (not enforcing)

412020: OL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.

Description: None

• medium

Automated: yes

• configure_tmux_lock_command: Configure the tmux Lock Command
• configure_tmux_lock_keybinding: Configure the tmux lock session key binding

412025: OL 9 must automatically lock command line user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• configure_tmux_lock_after_time: Configure tmux to lock session after inactivity

412030: OL 9 must prevent users from disabling session control mechanisms.

Description: None

• low

Automated: yes

• no_tmux_in_shells: Prevent user from disabling the screen lock

412035: OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 15_min

412040: OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

412045: OL 9 must log username information when unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_audit: Account Lockouts Must Be Logged

412050: OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs
• var_accounts_fail_delay = 4

412055: OL 9 must define default permissions for the bash shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly

412060: OL 9 must define default permissions for the c shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_csh_cshrc: Ensure the Default C Shell Umask is Set Correctly

412065: OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

412070: OL 9 must define default permissions for the system default profile.

Description: None

• medium

Automated: yes

• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile

412075: OL 9 must display the date and time of the last successful account logon upon logon.

Description: None

• low

Automated: yes

• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification

412080: OL 9 must terminate idle user sessions.

Description: None

• medium

Automated: yes

• logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
• var_logind_session_timeout = 15_minutes

431010: OL 9 must use a Linux Security Module configured to enforce limits on system services.

Description: None

• high

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

431015: OL 9 must enable the SELinux targeted policy.

Description: None

• medium

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

431020: OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

Description: None

• medium

Automated: yes

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory

431025: OL 9 must have policycoreutils package installed.

Description: None

• medium

Automated: yes

• package_policycoreutils_installed: Install policycoreutils Package

431030: OL 9 policycoreutils-python-utils package must be installed.

Description: None

• medium

Automated: yes

• package_policycoreutils-python-utils_installed: Install policycoreutils-python-utils package

432010: OL 9 must have the sudo package installed.

Description: None

• medium

Automated: yes

• package_sudo_installed: Install sudo Package

432015: OL 9 must require reauthentication when using the "sudo" command.

Description: None

• medium

Automated: yes

• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
• var_sudo_timestamp_timeout = always_prompt

432020: OL 9 must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• medium

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

432025: OL 9 must require users to reauthenticate for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

432030: OL 9 must restrict privilege elevation to authorized personnel.

Description: None

• medium

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

432035: OL 9 must restrict the use of the "su" command.

Description: None

• medium

Automated: yes

• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

433010: OL 9 fapolicy module must be installed.

Description: None

• medium

Automated: yes

• package_fapolicyd_installed: Install fapolicyd Package

433015: OL 9 fapolicy module must be enabled.

Description: None

• medium

Automated: yes

• service_fapolicyd_enabled: Enable the File Access Policy Service

611010: OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.

Description: None

• medium

Automated: yes

• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• var_password_pam_retry = 3

611015: OL 9 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember_password_auth: Limit Password Reuse: password-auth
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite_or_required

611020: OL 9 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember_system_auth: Limit Password Reuse: system-auth

611025: OL 9 must not allow blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

611030: OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_system_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.

611035: OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_password_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.

611040: OL 9 must ensure the password complexity module is enabled in the password-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth

611045: OL 9 must ensure the password complexity module is enabled in the system-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth

611050: OL 9 password-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_password_auth: Set number of Password Hashing Rounds - password-auth
• var_password_pam_unix_rounds = 5000

611055: OL 9 system-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_system_auth: Set number of Password Hashing Rounds - system-auth

611060: OL 9 must enforce password complexity rules for the root account.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User

611065: OL 9 must enforce password complexity by requiring that at least one lowercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• var_password_pam_lcredit = 1

611070: OL 9 must enforce password complexity by requiring that at least one numeric character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• var_password_pam_dcredit = 1

611075: OL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age

611080: OL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

611085: OL 9 must require users to provide a password for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

611090: OL 9 passwords must be created with a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• var_password_pam_minlen = 15

611095: OL 9 passwords for new users must have a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs

611100: OL 9 must enforce password complexity by requiring that at least one special character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• var_password_pam_ocredit = 1

611105: OL 9 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
• var_password_pam_dictcheck = 1

611110: OL 9 must enforce password complexity by requiring that at least one uppercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_ucredit = 1

611115: OL 9 must require the change of at least eight characters when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters
• var_password_pam_difok = 8

611120: OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxclassrepeat: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
• var_password_pam_maxclassrepeat = 4

611125: OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters
• var_password_pam_maxrepeat = 3

611130: OL 9 must require the change of at least four character classes when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• var_password_pam_minclass = 4

611135: OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• var_password_hashing_algorithm_pam = sha512

611140: OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• var_password_hashing_algorithm = SHA512

611145: OL 9 must not be configured to bypass password requirements for privilege escalation.

Description: None

• medium

Automated: yes

• disallow_bypass_password_sudo: Disallow Configuration to Bypass Password Requirements for Privilege Escalation

611150: OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

611155: OL 9 must not have accounts configured with blank or null passwords.

Description: None

• medium

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

611160: OL 9 must use the CAC smart card driver.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• var_smartcard_drivers = cac

611165: OL 9 must enable certificate based smart card authentication.

Description: None

• medium

Automated: yes

• sssd_enable_smartcards: Enable Smartcards in SSSD

611170: OL 9 must implement certificate status checking for multifactor authentication.

Description: None

• medium

Automated: yes

• sssd_certificate_verification: Certificate status checking in SSSD
• var_sssd_certificate_verification_digest_function = sha512

611175: OL 9 must have the pcsc-lite package installed.

Description: None

• medium

Automated: yes

• package_pcsc-lite_installed: Install the pcsc-lite package

611180: The pcscd service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_pcscd_enabled: Enable the pcscd Service

611185: OL 9 must have the opensc package installed.

Description: None

• medium

Automated: yes

• package_opensc_installed: Install the opensc Package For Multifactor Authentication

611190: OL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: yes

• ssh_keys_passphrase_protected: Verify the SSH Private Key Files Have a Passcode

611195: OL 9 must require authentication to access emergency mode.

Description: None

• medium

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

611200: OL 9 must require authentication to access single-user mode.

Description: None

• medium

Automated: yes

• require_singleuser_auth: Require Authentication for Single User Mode

631010: OL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: yes

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

631015: OL 9 must map the authenticated identity to the user or group account for PKI-based authentication.

Description: None

• medium

Automated: yes

• sssd_enable_certmap: Enable Certmap in SSSD

631020: OL 9 must prohibit the use of cached authenticators after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

651010: OL 9 must have the AIDE package installed.

Description: None

• medium

Automated: yes

• package_aide_installed: Install AIDE

651015: OL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

651020: OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.

Description: None

• medium

Automated: yes

• aide_use_fips_hashes: Configure AIDE to Use FIPS 140-2 for Validating Hashes

651025: OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.

Description: None

• medium

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

651030: OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).

Description: None

• low

Automated: yes

• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)

651035: OL 9 must be configured so that the file integrity tool verifies extended attributes.

Description: None

• low

Automated: yes

• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes

652010: OL 9 must have the rsyslog package installed.

Description: None

• medium

Automated: yes

• package_rsyslog_installed: Ensure rsyslog is Installed

652015: OL 9 must have the packages required for encrypting offloaded audit logs installed.

Description: None

• medium

Automated: yes

• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed

652020: The rsyslog service on OL 9 must be active.

Description: None

• medium

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

652025: OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

Description: None

• medium

Automated: yes

• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

652030: All OL 9 remote access methods must be monitored.

Description: None

• medium

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog

652035: OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.

Description: None

• medium

Automated: yes

• auditd_audispd_syslog_plugin_activated: Configure auditd to use audispd's syslog plugin

652040: OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records

652045: OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records

652050: OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records

652055: OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

652060: OL 9 must use cron logging.

Description: None

• medium

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

653010: OL 9 audit package must be installed.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed

653015: OL 9 audit service must be enabled.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

653020: OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action_stig: Configure auditd Disk Error Action on Disk Error
• var_auditd_disk_error_action = halt

653025: OL 9 audit system must take appropriate action when the audit storage volume is full.

Description: None

• medium

Automated: yes

• auditd_data_disk_full_action_stig: Configure auditd Disk Full Action when Disk Space Is Full
• var_auditd_disk_full_action = halt

653030: OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs

653035: OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space
• var_auditd_space_left_percentage = 25pc

653040: OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• var_auditd_space_left_action = email

653045: OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• var_auditd_admin_space_left_percentage = 5pc

653050: OL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = halt

653055: OL 9 audit system must take appropriate action when the audit files have reached maximum size.

Description: None

• medium

Automated: yes

• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_auditd_max_log_file_action = rotate

653060: OL 9 must label all offloaded audit logs before sending them to the central log server.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• var_auditd_name_format = stig

653065: OL 9 must take appropriate action when the internal event queue is full.

Description: None

• medium

Automated: yes

• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

653070: OL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

Description: None

• medium

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
• var_auditd_action_mail_acct = root

653075: OL 9 audit system must audit local events.

Description: None

• medium

Automated: yes

• auditd_local_events: Include Local Events in Audit Logs

653080: OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root

653085: OL 9 audit log directory must be owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root

653090: OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.

Description: None

• medium

Automated: yes

• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

653095: OL 9 must periodically flush audit records to disk to prevent the loss of audit records.

Description: None

• medium

Automated: yes

• auditd_freq: Set number of records to cause an explicit flush to audit logs
• var_auditd_freq = 100

653100: OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.

Description: None

• medium

Automated: yes

• auditd_log_format: Resolve information before writing to audit logs

653105: OL 9 must write audit records to disk.

Description: None

• medium

Automated: yes

• auditd_write_logs: Write Audit Logs to the Disk

653110: OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_rulesd: Verify Permissions on /etc/audit/rules.d/*.rules

653115: OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_auditd: Verify Permissions on /etc/audit/auditd.conf

653120: OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

653125: OL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

653130: OL 9 audispd-plugins package must be installed.

Description: None

• medium

Automated: yes

• package_audispd-plugins_installed: Install audispd-plugins Package

654010: OL 9 must audit uses of the "execve" system call.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

654015: OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat

654020: OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

654025: OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

654030: OL 9 must audit all uses of umount system calls.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount

654035: OL 9 must audit all uses of the chacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chacl: Record Any Attempts to Run chacl

654040: OL 9 must audit all uses of the setfacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

654045: OL 9 must audit all uses of the chcon command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon

654050: OL 9 must audit all uses of the semanage command.

Description: None

• medium

Automated: yes

• audit_rules_execution_semanage: Record Any Attempts to Run semanage

654055: OL 9 must audit all uses of the setfiles command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles

654060: OL 9 must audit all uses of the setsebool command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

654065: OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

Description: None

• medium

Automated: yes

• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

654070: OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

654075: OL 9 must audit all uses of the delete_module system call.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module

654080: OL 9 must audit all uses of the init_module and finit_module system calls.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module

654085: OL 9 must audit all uses of the chage command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

654090: OL 9 must audit all uses of the chsh command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

654095: OL 9 must audit all uses of the crontab command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

654100: OL 9 must audit all uses of the gpasswd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

654105: OL 9 must audit all uses of the kmod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

654110: OL 9 must audit all uses of the newgrp command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

654115: OL 9 must audit all uses of the pam_timestamp_check command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

654120: OL 9 must audit all uses of the passwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd

654125: OL 9 must audit all uses of the postdrop command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

654130: OL 9 must audit all uses of the postqueue command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

654135: OL 9 must audit all uses of the ssh-agent command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

654140: OL 9 must audit all uses of the ssh-keysign command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

654145: OL 9 must audit all uses of the su command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su

654150: OL 9 must audit all uses of the sudo command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

654155: OL 9 must audit all uses of the sudoedit command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

654160: OL 9 must audit all uses of the unix_chkpwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

654165: OL 9 must audit all uses of the unix_update command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

654170: OL 9 must audit all uses of the userhelper command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

654175: OL 9 must audit all uses of the usermod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

654180: OL 9 must audit all uses of the mount command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount

654185: Successful/unsuccessful uses of the init command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_init: Ensure auditd Collects Information on the Use of Privileged Commands - init

654190: Successful/unsuccessful uses of the poweroff command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_poweroff: Ensure auditd Collects Information on the Use of Privileged Commands - poweroff

654195: Successful/unsuccessful uses of the reboot command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_reboot: Ensure auditd Collects Information on the Use of Privileged Commands - reboot

654200: Successful/unsuccessful uses of the shutdown command in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_shutdown: Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

654205: Successful/unsuccessful uses of the umount system call in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount

654210: Successful/unsuccessful uses of the umount2 system call in OL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2

654215: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers

654220: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

Description: None

• medium

Automated: yes

• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

654225: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group

654230: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow

654235: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

654240: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

654245: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

654250: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock

654255: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

654260: OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

654265: OL 9 must take appropriate action when a critical audit processing failure occurs.

Description: None

• medium

Automated: yes

• audit_rules_system_shutdown: Shutdown System When Auditing Failures Occur

654270: OL 9 audit system must protect logon UIDs from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable_login_uids: Configure immutable Audit login UIDs

654275: OL 9 audit system must protect auditing rules from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

671010: OL 9 must enable FIPS mode.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1
• var_system_crypto_policy = fips

671015: OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.

Description: None

• medium

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512

671020: OL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.

Description: None

• medium

Automated: yes

• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy

671025: OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• var_password_hashing_algorithm_pam = sha512

672010: OL 9 must have the crypto-policies package installed.

Description: None

• medium

Automated: yes

• package_crypto-policies_installed: Install crypto-policies package

672015: OL 9 crypto policy files must match files shipped with the operating system.

Description: None

• high

Automated: no

No rules selected

672020: OL 9 crypto policy must not be overridden.

Description: None

• medium

Automated: no

No rules selected

672025: OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Description: None

• medium

Automated: yes

• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy

672030: OL 9 must implement DOD-approved TLS encryption in the GnuTLS package.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

672035: OL 9 must implement DOD-approved encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy

672040: OL 9 must implement DOD-approved TLS encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_tls_crypto_policy: Configure OpenSSL library to use TLS Encryption

672045: OL 9 must implement a system-wide encryption policy.

Description: None

• medium

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

672050: OL 9 must implement DOD-approved encryption in the bind package.

Description: None

• medium

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy