Definition of Red Hat Enterprise Linux 8 Security Technical Implementation Guide for rhel8

needed_rules: Variables and needed rules

Description: None

• high
• medium
• low

Automated: no

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy
• configure_crypto_policy: Configure System Cryptography Policy
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy
• enable_authselect: Enable authselect
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• login_banner_text = dod_banners
• sshd_approved_ciphers = stig_extended
• sshd_approved_macs = stig_extended
• sshd_idle_timeout_value = 10_minutes
• var_account_disable_post_pw_expiration = 35
• var_accounts_authorized_local_users_regex = rhel8
• var_accounts_fail_delay = 4
• var_accounts_max_concurrent_login_sessions = 10
• var_accounts_maximum_age_login_defs = 60
• var_accounts_minimum_age_login_defs = 1
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_fail_interval = 900
• var_accounts_passwords_pam_faillock_unlock_time = never
• var_accounts_user_umask = 077
• var_auditd_action_mail_acct = root
• var_auditd_disk_error_action = rhel8
• var_auditd_disk_full_action = rhel8
• var_auditd_max_log_file_action = syslog
• var_auditd_space_left_action = email
• var_auditd_space_left_percentage = 25pc
• var_authselect_profile = sssd
• var_multiple_time_servers = stig
• var_password_hashing_algorithm = SHA512
• var_password_hashing_algorithm_pam = sha512
• var_password_hashing_min_rounds_login_defs = 100000
• var_password_pam_dcredit = 1
• var_password_pam_dictcheck = 1
• var_password_pam_difok = 8
• var_password_pam_lcredit = 1
• var_password_pam_maxclassrepeat = 4
• var_password_pam_maxrepeat = 3
• var_password_pam_minclass = 4
• var_password_pam_minlen = 15
• var_password_pam_ocredit = 1
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite_or_required
• var_password_pam_retry = 3
• var_password_pam_ucredit = 1
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing
• var_ssh_client_rekey_limit_size = 1G
• var_ssh_client_rekey_limit_time = 1hour
• var_sshd_set_keepalive = 1
• var_sssd_certificate_verification_digest_function = sha1
• var_system_crypto_policy = fips
• var_time_service_set_maxpoll = 18_hours

RHEL-08-010000: RHEL 8 must be a vendor-supported release.

Description: None

• high

Automated: yes

• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported

RHEL-08-010010: RHEL 8 vendor packaged system security patches and updates must be installed and up to date.

Description: None

• medium

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

RHEL-08-010020: RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Description: None

• high

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy
• configure_crypto_policy: Configure System Cryptography Policy
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• fips_crypto_subpolicy: FIPS Must Use a Supported Subpolicy
• harden_sshd_ciphers_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140 Validated Ciphers: openssh.config
• harden_sshd_macs_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1

RHEL-08-010030: All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

RHEL-08-010040: RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.

Description: None

• medium

Automated: yes

• sshd_enable_warning_banner: Enable SSH Warning Banner

RHEL-08-010050: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: yes

• dconf_gnome_login_banner_text: Set the GNOME3 Login Warning Banner Text

RHEL-08-010060: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner

RHEL-08-010070: All RHEL 8 remote access methods must be monitored.

Description: None

• medium

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog

RHEL-08-010090: RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: yes

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

RHEL-08-010100: RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: yes

• ssh_keys_passphrase_protected: Verify the SSH Private Key Files Have a Passcode

RHEL-08-010110: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs

RHEL-08-010120: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

Description: None

• medium

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512

RHEL-08-010130: The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

RHEL-08-010140: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.

Description: None

• high

Automated: yes

• grub2_uefi_password: Set the UEFI Boot Loader Password

RHEL-08-010150: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.

Description: None

• high

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

RHEL-08-010151: RHEL 8 operating systems must require authentication upon booting into rescue mode.

Description: None

• medium

Automated: yes

• require_singleuser_auth: Require Authentication for Single User Mode

RHEL-08-010160: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth

RHEL-08-010161: RHEL 8 must prevent system daemons from using Kerberos for authentication.

Description: None

• medium

Automated: yes

• kerberos_disable_no_keytab: Disable Kerberos by removing host keytab

RHEL-08-010162: The krb5-workstation package must not be installed on RHEL 8.

Description: None

• medium

Automated: yes

• package_krb5-workstation_removed: Uninstall krb5-workstation Package

RHEL-08-010170: RHEL 8 must use a Linux Security Module configured to enforce limits on system services.

Description: None

• medium

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing

RHEL-08-010171: RHEL 8 must have policycoreutils package installed.

Description: None

• low

Automated: yes

• package_policycoreutils_installed: Install policycoreutils Package

RHEL-08-010190: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

RHEL-08-010200: RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_keepalive: Set SSH Client Alive Count Max

RHEL-08-010210: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log_messages: Verify Permissions on /var/log/messages File

RHEL-08-010220: The RHEL 8 /var/log/messages file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log_messages: Verify User Who Owns /var/log/messages File

RHEL-08-010230: The RHEL 8 /var/log/messages file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log_messages: Verify Group Who Owns /var/log/messages File

RHEL-08-010240: The RHEL 8 /var/log directory must have mode 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log: Verify Permissions on /var/log Directory

RHEL-08-010250: The RHEL 8 /var/log directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log: Verify User Who Owns /var/log Directory

RHEL-08-010260: The RHEL 8 /var/log directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log: Verify Group Who Owns /var/log Directory

RHEL-08-010290: The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: yes

• harden_sshd_macs_opensshserver_conf_crypto_policy: Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

RHEL-08-010291: The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality of SSH server connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_opensshserver_conf_crypto_policy: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

RHEL-08-010292: RHEL 8 must ensure the SSH server uses strong entropy.

Description: None

• low

Automated: yes

• sshd_use_strong_rng: SSH server uses strong entropy to seed

RHEL-08-010293: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy

RHEL-08-010294: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_tls_crypto_policy: Configure OpenSSL library to use TLS Encryption

RHEL-08-010295: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.

Description: None

• medium

Automated: yes

• configure_gnutls_tls_crypto_policy: Configure GnuTLS library to use DoD-approved TLS Encryption

RHEL-08-010300: RHEL 8 system commands must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions

RHEL-08-010310: RHEL 8 system commands must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership

RHEL-08-010320: RHEL 8 system commands must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account

RHEL-08-010330: RHEL 8 library files must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions

RHEL-08-010340: RHEL 8 library files must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership

RHEL-08-010350: RHEL 8 library files must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

RHEL-08-010360: The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.

Description: None

• medium

Automated: yes

• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

RHEL-08-010370: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

Description: None

• high

Automated: yes

• enable_gpgcheck_for_all_repositories: Ensure gpgcheck Is Enabled for All Package Repositories

RHEL-08-010371: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

Description: None

• high

Automated: yes

• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages

RHEL-08-010372: RHEL 8 must prevent the loading of a new kernel for later execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading

RHEL-08-010373: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

RHEL-08-010374: RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks

RHEL-08-010375: RHEL 8 must restrict access to the kernel message buffer.

Description: None

• low

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

RHEL-08-010376: RHEL 8 must prevent kernel profiling by unprivileged users.

Description: None

• low

Automated: yes

• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

RHEL-08-010380: RHEL 8 must require users to provide a password for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

RHEL-08-010381: RHEL 8 must require users to reauthenticate for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

RHEL-08-010390: RHEL 8 must have the packages required for multifactor authentication installed.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

RHEL-08-010400: RHEL 8 must implement certificate status checking for multifactor authentication.

Description: None

• medium

Automated: yes

• sssd_certificate_verification: Certificate status checking in SSSD

RHEL-08-010410: RHEL 8 must accept Personal Identity Verification (PIV) credentials.

Description: None

• medium

Automated: yes

• package_opensc_installed: Install the opensc Package For Multifactor Authentication

RHEL-08-010420: RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS

RHEL-08-010421: RHEL 8 must clear the page allocator to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_page_poison_argument: Enable page allocator poisoning

RHEL-08-010422: RHEL 8 must disable virtual syscalls.

Description: None

• medium

Automated: yes

• grub2_vsyscall_argument: Disable vsyscalls

RHEL-08-010423: RHEL 8 must clear memory when it is freed to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_init_on_free: The system must booted with init_on_free=1

RHEL-08-010430: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

RHEL-08-010440: YUM must remove all software components after updated versions have been installed on RHEL 8.

Description: None

• low

Automated: yes

• clean_components_post_updating: Ensure yum Removes Previous Package Versions

RHEL-08-010450: RHEL 8 must enable the SELinux targeted policy.

Description: None

• medium

Automated: yes

• selinux_policytype: Configure SELinux Policy

RHEL-08-010460: There must be no shosts.equiv files on the RHEL 8 operating system.

Description: None

• high

Automated: yes

• no_host_based_files: Remove Host-Based Authentication Files

RHEL-08-010470: There must be no .shosts files on the RHEL 8 operating system.

Description: None

• high

Automated: yes

• no_user_host_based_files: Remove User Host-Based Authentication Files

RHEL-08-010471: RHEL 8 must enable the hardware random number generator entropy gatherer service.

Description: None

• low

Automated: yes

• service_rngd_enabled: Enable the Hardware RNG Entropy Gatherer Service

RHEL-08-010480: The RHEL 8 SSH public host key files must have mode 0644 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

RHEL-08-010490: The RHEL 8 SSH private host key files must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

RHEL-08-010500: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.

Description: None

• medium

Automated: yes

• sshd_enable_strictmodes: Enable Use of Strict Mode Checking

RHEL-08-010520: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.

Description: None

• medium

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

RHEL-08-010521: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.

Description: None

• medium

Automated: yes

• sshd_disable_kerb_auth: Disable Kerberos Authentication

RHEL-08-010540: RHEL 8 must use a separate file system for /var.

Description: None

• low

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

RHEL-08-010541: RHEL 8 must use a separate file system for /var/log.

Description: None

• low

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

RHEL-08-010542: RHEL 8 must use a separate file system for the system audit data path.

Description: None

• low

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

RHEL-08-010543: A separate RHEL 8 filesystem must be used for the /tmp directory.

Description: None

• medium

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

RHEL-08-010550: RHEL 8 must not permit direct logons to the root account using remote access via SSH.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

RHEL-08-010561: The rsyslog service must be running in RHEL 8.

Description: None

• medium

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

RHEL-08-010570: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

RHEL-08-010571: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.

Description: None

• medium

Automated: yes

• mount_option_boot_nosuid: Add nosuid Option to /boot

RHEL-08-010580: RHEL 8 must prevent special devices on non-root local partitions.

Description: None

• medium

Automated: yes

• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions

RHEL-08-010590: RHEL 8 must prevent code from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_noexec: Add noexec Option to /home

RHEL-08-010600: RHEL 8 must prevent special devices on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions

RHEL-08-010610: RHEL 8 must prevent code from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

RHEL-08-010620: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

RHEL-08-010630: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec

RHEL-08-010640: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nodev_remote_filesystems: Mount Remote Filesystems with nodev

RHEL-08-010650: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid

RHEL-08-010660: Local RHEL 8 initialization files must not execute world-writable programs.

Description: None

• medium

Automated: yes

• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

RHEL-08-010670: RHEL 8 must disable kernel dumps unless needed.

Description: None

• medium

Automated: yes

• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)

RHEL-08-010671: RHEL 8 must disable the kernel.core_pattern.

Description: None

• medium

Automated: yes

• sysctl_kernel_core_pattern: Disable storing core dumps

RHEL-08-010672: RHEL 8 must disable acquiring, saving, and processing core dumps.

Description: None

• medium

Automated: yes

• service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps

RHEL-08-010673: RHEL 8 must disable core dumps for all users.

Description: None

• medium

Automated: yes

• disable_users_coredumps: Disable Core Dumps for All Users

RHEL-08-010674: RHEL 8 must disable storing core dumps.

Description: None

• medium

Automated: yes

• coredump_disable_storage: Disable storing core dump

RHEL-08-010675: RHEL 8 must disable core dump backtraces.

Description: None

• medium

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces

RHEL-08-010680: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.

Description: None

• medium

Automated: yes

• network_configure_name_resolution: Configure Multiple DNS Servers in /etc/resolv.conf

RHEL-08-010690: Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.

Description: None

• medium

Automated: yes

• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

RHEL-08-010700: All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User

RHEL-08-010710: All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_system_owned_group: Ensure All World-Writable Directories Are Group Owned by a System Account

RHEL-08-010720: All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined

RHEL-08-010730: All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

RHEL-08-010740: All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.

Description: None

• medium

Automated: yes

• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

RHEL-08-010750: All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

RHEL-08-010760: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.

Description: None

• medium

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

RHEL-08-010770: All RHEL 8 local initialization files must have mode 0740 or less permissive.

Description: None

• medium

Automated: yes

• file_permission_user_init_files_root: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
• rootfiles_configured: Ensure rootfiles tmpfile.d is Configured Correctly
• var_user_initialization_files_regex = all_dotfiles

RHEL-08-010780: All RHEL 8 local files and directories must have a valid owner.

Description: None

• medium

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

RHEL-08-010790: All RHEL 8 local files and directories must have a valid group owner.

Description: None

• medium

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

RHEL-08-010800: A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).

Description: None

• medium

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

RHEL-08-010820: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.

Description: None

• high

Automated: yes

• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login

RHEL-08-010830: RHEL 8 must not allow users to override SSH environment variables.

Description: None

• medium

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

RHEL-08-020000: RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

RHEL-08-020010: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: no

No rules selected

RHEL-08-020011: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts

RHEL-08-020012: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts

RHEL-08-020013: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts

RHEL-08-020014: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts

RHEL-08-020015: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts

RHEL-08-020016: RHEL 8 must ensure account lockouts persist.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist

RHEL-08-020017: RHEL 8 must ensure account lockouts persist.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist

RHEL-08-020018: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_silent: Do Not Show System Messages When Unsuccessful Logon Attempts Occur

RHEL-08-020019: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_silent: Do Not Show System Messages When Unsuccessful Logon Attempts Occur

RHEL-08-020020: RHEL 8 must log user name information when unsuccessful logon attempts occur.

Description: None

• medium

Automated: no

No rules selected

RHEL-08-020021: RHEL 8 must log user name information when unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_audit: Account Lockouts Must Be Logged

RHEL-08-020022: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: no

No rules selected

RHEL-08-020023: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts

RHEL-08-020024: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User

RHEL-08-020030: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

RHEL-08-020050: RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

RHEL-08-020060: RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout

RHEL-08-020080: RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings

RHEL-08-020090: RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.

Description: None

• medium

Automated: yes

• sssd_enable_certmap: Enable Certmap in SSSD

RHEL-08-020100: RHEL 8 must ensure the password complexity module is enabled in the password-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth

RHEL-08-020110: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

RHEL-08-020120: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

RHEL-08-020130: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters

RHEL-08-020140: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxclassrepeat: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

RHEL-08-020150: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters

RHEL-08-020160: RHEL 8 must require the change of at least four character classes when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories

RHEL-08-020170: RHEL 8 must require the change of at least 8 characters when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters

RHEL-08-020180: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age

RHEL-08-020190: RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age

RHEL-08-020200: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age

RHEL-08-020210: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

Description: None

• medium

Automated: yes

• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age

RHEL-08-020230: RHEL 8 passwords must have a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length

RHEL-08-020231: RHEL 8 passwords for new users must have a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs

RHEL-08-020240: RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

RHEL-08-020250: RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.

Description: None

• medium

Automated: yes

• sssd_enable_smartcards: Enable Smartcards in SSSD

RHEL-08-020260: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity

RHEL-08-020270: RHEL 8 must automatically expire temporary accounts within 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

RHEL-08-020280: All RHEL 8 passwords must contain at least one special character.

Description: None

• medium

Automated: yes

• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters

RHEL-08-020290: RHEL 8 must prohibit the use of cached authentications after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

RHEL-08-020300: RHEL 8 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

RHEL-08-020310: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs

RHEL-08-020320: RHEL 8 must not have unnecessary accounts.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System

RHEL-08-020330: RHEL 8 must not allow accounts configured with blank or null passwords.

Description: None

• high

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

RHEL-08-020340: RHEL 8 must display the date and time of the last successful account logon upon logon.

Description: None

• low

Automated: yes

• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification

RHEL-08-020350: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• medium

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

RHEL-08-020351: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

RHEL-08-020352: RHEL 8 must set the umask value to 077 for all local interactive user accounts.

Description: None

• medium

Automated: yes

• accounts_umask_interactive_users: Ensure the Default Umask is Set Correctly For Interactive Users

RHEL-08-020353: RHEL 8 must define default permissions for logon and non-logon shells.

Description: None

• medium

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_etc_csh_cshrc: Ensure the Default C Shell Umask is Set Correctly
• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile

RHEL-08-030000: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

RHEL-08-030010: Cron logging must be implemented in RHEL 8.

Description: None

• medium

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

RHEL-08-030020: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

Description: None

• medium

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space

RHEL-08-030030: The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.

Description: None

• medium

Automated: yes

• package_postfix_installed: The Postfix package is installed
• postfix_client_configure_mail_alias_postmaster: Configure System to Forward All Mail From Postmaster to The Root Account

RHEL-08-030040: The RHEL 8 System must take appropriate action when an audit processing failure occurs.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error

RHEL-08-030060: The RHEL 8 audit system must take appropriate action when the audit storage volume is full.

Description: None

• medium

Automated: yes

• auditd_data_disk_full_action: Configure auditd Disk Full Action when Disk Space Is Full

RHEL-08-030061: The RHEL 8 audit system must audit local events.

Description: None

• medium

Automated: yes

• auditd_local_events: Include Local Events in Audit Logs

RHEL-08-030062: RHEL 8 must label all off-loaded audit logs before sending them to the central log server.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• var_auditd_name_format = stig

RHEL-08-030063: RHEL 8 must resolve audit information before writing to disk.

Description: None

• low

Automated: yes

• auditd_log_format: Resolve information before writing to audit logs

RHEL-08-030070: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

RHEL-08-030080: RHEL 8 audit logs must be owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root

RHEL-08-030090: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root

RHEL-08-030100: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root

RHEL-08-030110: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root

RHEL-08-030120: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_permissions_var_log_audit: System Audit Logs Must Have Mode 0750 or Less Permissive

RHEL-08-030121: RHEL 8 audit system must protect auditing rules from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

RHEL-08-030122: RHEL 8 audit system must protect logon UIDs from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable_login_uids: Configure immutable Audit login UIDs

RHEL-08-030130: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

RHEL-08-030140: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

RHEL-08-030150: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

RHEL-08-030160: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow

RHEL-08-030170: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group

RHEL-08-030171: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers

RHEL-08-030172: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.

Description: None

• medium

Automated: yes

• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

RHEL-08-030180: The RHEL 8 audit package must be installed.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed

RHEL-08-030190: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su

RHEL-08-030200: The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

RHEL-08-030250: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

RHEL-08-030260: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon

RHEL-08-030280: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

RHEL-08-030290: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd

RHEL-08-030300: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount

RHEL-08-030301: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount

RHEL-08-030302: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)

RHEL-08-030310: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

RHEL-08-030311: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

RHEL-08-030312: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

RHEL-08-030313: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_semanage: Record Any Attempts to Run semanage

RHEL-08-030314: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles

RHEL-08-030315: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

RHEL-08-030316: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

RHEL-08-030317: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

RHEL-08-030320: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

RHEL-08-030330: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

RHEL-08-030340: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

RHEL-08-030350: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

RHEL-08-030360: Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module

RHEL-08-030361: Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

RHEL-08-030370: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

RHEL-08-030390: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module

RHEL-08-030400: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

RHEL-08-030410: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

RHEL-08-030420: Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

RHEL-08-030480: Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

RHEL-08-030490: Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat

RHEL-08-030550: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

RHEL-08-030560: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

RHEL-08-030570: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_chacl: Record Any Attempts to Run chacl

RHEL-08-030580: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

RHEL-08-030590: Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock

RHEL-08-030600: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

RHEL-08-030601: RHEL 8 must enable auditing of processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

RHEL-08-030602: RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

RHEL-08-030603: RHEL 8 must enable Linux audit logging for the USBGuard daemon.

Description: None

• low

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit

RHEL-08-030610: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_auditd: Verify Permissions on /etc/audit/auditd.conf
• file_permissions_etc_audit_rulesd: Verify Permissions on /etc/audit/rules.d/*.rules

RHEL-08-030620: RHEL 8 audit tools must have a mode of 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

RHEL-08-030630: RHEL 8 audit tools must be owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_ownership: Audit Tools Must Be Owned by Root

RHEL-08-030640: RHEL 8 audit tools must be group-owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root

RHEL-08-030650: RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.

Description: None

• medium

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

RHEL-08-030660: RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs

RHEL-08-030670: RHEL 8 must have the packages required for offloading audit logs installed.

Description: None

• medium

Automated: yes

• package_rsyslog_installed: Ensure rsyslog is Installed

RHEL-08-030680: RHEL 8 must have the packages required for encrypting offloaded audit logs installed.

Description: None

• medium

Automated: yes

• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed

RHEL-08-030690: The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.

Description: None

• medium

Automated: yes

• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

RHEL-08-030700: RHEL 8 must take appropriate action when the internal event queue is full.

Description: None

• medium

Automated: yes

• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

RHEL-08-030710: RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records
• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records

RHEL-08-030720: RHEL 8 must authenticate the remote logging server for off-loading audit logs.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records

RHEL-08-030730: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space

RHEL-08-030740: RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_server_directive: Ensure Chrony is only configured with the server directive
• chronyd_specify_remote_server: A remote time server for Chrony is configured

RHEL-08-030741: RHEL 8 must disable the chrony daemon from acting as a server.

Description: None

• low

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server

RHEL-08-030742: RHEL 8 must disable network management of the chrony daemon.

Description: None

• low

Automated: yes

• chronyd_no_chronyc_network: Disable network management of chrony daemon

RHEL-08-040000: RHEL 8 must not have the telnet-server package installed.

Description: None

• high

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

RHEL-08-040001: RHEL 8 must not have any automated bug reporting tools installed.

Description: None

• medium

Automated: yes

• package_abrt-addon-ccpp_removed: Uninstall abrt-addon-ccpp Package
• package_abrt-addon-kerneloops_removed: Uninstall abrt-addon-kerneloops Package
• package_abrt-cli_removed: Uninstall abrt-cli Package
• package_abrt-plugin-sosreport_removed: Uninstall abrt-plugin-sosreport Package
• package_abrt_removed: Uninstall Automatic Bug Reporting Tool (abrt)
• package_libreport-plugin-logger_removed: Uninstall libreport-plugin-logger Package
• package_libreport-plugin-rhtsupport_removed: Uninstall libreport-plugin-rhtsupport Package
• package_python3-abrt-addon_removed: Uninstall python3-abrt-addon Package

RHEL-08-040002: RHEL 8 must not have the sendmail package installed.

Description: None

• medium

Automated: yes

• package_sendmail_removed: Uninstall Sendmail Package

RHEL-08-040004: RHEL 8 must enable mitigations against processor-based vulnerabilities.

Description: None

• low

Automated: yes

• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)

RHEL-08-040010: RHEL 8 must not have the rsh-server package installed.

Description: None

• high

Automated: no

No rules selected

RHEL-08-040020: RHEL 8 must cover or disable the built-in or attached camera when not in use.

Description: None

• medium

Automated: yes

• kernel_module_uvcvideo_disabled: Disable the uvcvideo module

RHEL-08-040021: RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.

Description: None

• low

Automated: yes

• kernel_module_atm_disabled: Disable ATM Support

RHEL-08-040022: RHEL 8 must disable the controller area network (CAN) protocol.

Description: None

• low

Automated: yes

• kernel_module_can_disabled: Disable CAN Support

RHEL-08-040023: RHEL 8 must disable the stream control transmission protocol (SCTP).

Description: None

• low

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support

RHEL-08-040024: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.

Description: None

• low

Automated: yes

• kernel_module_tipc_disabled: Disable TIPC Support

RHEL-08-040025: RHEL 8 must disable mounting of cramfs.

Description: None

• low

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

RHEL-08-040026: RHEL 8 must disable IEEE 1394 (FireWire) Support.

Description: None

• low

Automated: yes

• kernel_module_firewire-core_disabled: Disable IEEE 1394 (FireWire) Support

RHEL-08-040030: RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Description: None

• medium

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports

RHEL-08-040070: The RHEL 8 file system automounter must be disabled unless required.

Description: None

• medium

Automated: yes

• service_autofs_disabled: Disable the Automounter

RHEL-08-040080: RHEL 8 must be configured to disable USB mass storage.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

RHEL-08-040090: A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Description: None

• medium

Automated: yes

• configured_firewalld_default_deny: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

RHEL-08-040100: A firewall must be installed on RHEL 8.

Description: None

• medium

Automated: yes

• package_firewalld_installed: Install firewalld Package

RHEL-08-040110: RHEL 8 wireless network adapters must be disabled.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

RHEL-08-040111: RHEL 8 Bluetooth must be disabled.

Description: None

• medium

Automated: yes

• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module

RHEL-08-040120: RHEL 8 must mount /dev/shm with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

RHEL-08-040121: RHEL 8 must mount /dev/shm with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

RHEL-08-040122: RHEL 8 must mount /dev/shm with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

RHEL-08-040123: RHEL 8 must mount /tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp

RHEL-08-040124: RHEL 8 must mount /tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nosuid: Add nosuid Option to /tmp

RHEL-08-040125: RHEL 8 must mount /tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_tmp_noexec: Add noexec Option to /tmp

RHEL-08-040126: RHEL 8 must mount /var/log with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log

RHEL-08-040127: RHEL 8 must mount /var/log with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nosuid: Add nosuid Option to /var/log

RHEL-08-040128: RHEL 8 must mount /var/log with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_noexec: Add noexec Option to /var/log

RHEL-08-040129: RHEL 8 must mount /var/log/audit with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

RHEL-08-040130: RHEL 8 must mount /var/log/audit with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

RHEL-08-040131: RHEL 8 must mount /var/log/audit with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

RHEL-08-040132: RHEL 8 must mount /var/tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

RHEL-08-040133: RHEL 8 must mount /var/tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

RHEL-08-040134: RHEL 8 must mount /var/tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

RHEL-08-040135: The RHEL 8 fapolicy module must be installed.

Description: None

• medium

Automated: yes

• package_fapolicyd_installed: Install fapolicyd Package

RHEL-08-040140: RHEL 8 must block unauthorized peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• usbguard_generate_policy: Generate USBGuard Policy

RHEL-08-040150: A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.

Description: None

• medium

Automated: yes

• firewalld-backend: Configure Firewalld to Use the Nftables Backend

RHEL-08-040160: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.

Description: None

• medium

Automated: yes

• service_sshd_enabled: Enable the OpenSSH Service

RHEL-08-040161: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.

Description: None

• medium

Automated: yes

• sshd_rekey_limit: Force frequent session key renegotiation

RHEL-08-040170: The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

RHEL-08-040171: The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.

Description: None

• high

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

RHEL-08-040172: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action

RHEL-08-040180: The debug-shell systemd service must be disabled on RHEL 8.

Description: None

• medium

Automated: yes

• service_debug-shell_disabled: Disable debug-shell SystemD Service

RHEL-08-040190: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.

Description: None

• high

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package

RHEL-08-040200: The root account must be the only account having unrestricted access to the RHEL 8 system.

Description: None

• high

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

RHEL-08-040210: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

RHEL-08-040220: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

RHEL-08-040230: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

RHEL-08-040240: RHEL 8 must not forward IPv6 source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

RHEL-08-040250: RHEL 8 must not forward IPv6 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

RHEL-08-040260: RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

RHEL-08-040261: RHEL 8 must not accept router advertisements on all IPv6 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces

RHEL-08-040262: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

RHEL-08-040270: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

RHEL-08-040280: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces

RHEL-08-040281: RHEL 8 must disable access to network bpf syscall from unprivileged processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes

RHEL-08-040282: RHEL 8 must restrict usage of ptrace to descendant processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

RHEL-08-040283: RHEL 8 must restrict exposed kernel pointer addresses access.

Description: None

• medium

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

RHEL-08-040284: RHEL 8 must disable the use of user namespaces.

Description: None

• medium

Automated: yes

• sysctl_user_max_user_namespaces_no_remediation: Disable the use of user namespaces

RHEL-08-040285: RHEL 8 must use reverse path filtering on all IPv4 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

RHEL-08-040290: RHEL 8 must be configured to prevent unrestricted mail relaying.

Description: None

• medium

Automated: yes

• postfix_prevent_unrestricted_relay: Prevent Unrestricted Mail Relaying

RHEL-08-040300: The RHEL 8 file integrity tool must be configured to verify extended attributes.

Description: None

• low

Automated: yes

• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes

RHEL-08-040310: The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).

Description: None

• low

Automated: yes

• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)

RHEL-08-040320: The graphical display manager must not be installed on RHEL 8 unless approved.

Description: None

• medium

Automated: yes

• xwindows_remove_packages: Disable graphical user interface

RHEL-08-040330: RHEL 8 network interfaces must not be in promiscuous mode.

Description: None

• medium

Automated: yes

• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer

RHEL-08-040340: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.

Description: None

• medium

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

RHEL-08-040341: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.

Description: None

• medium

Automated: yes

• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display

RHEL-08-040350: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.

Description: None

• medium

Automated: yes

• tftp_uses_secure_mode_systemd: Ensure tftp systemd Service Uses Secure Mode

RHEL-08-040360: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.

Description: None

• high

Automated: yes

• package_vsftpd_removed: Uninstall vsftpd Package

RHEL-08-040370: The gssproxy package must not be installed unless mission essential on RHEL 8.

Description: None

• medium

Automated: yes

• package_gssproxy_removed: Uninstall gssproxy Package

RHEL-08-040380: The iprutils package must not be installed unless mission essential on RHEL 8.

Description: None

• medium

Automated: yes

• package_iprutils_removed: Uninstall iprutils Package

RHEL-08-040390: The tuned package must not be installed unless mission essential on RHEL 8.

Description: None

• medium

Automated: yes

• package_tuned_removed: Uninstall tuned Package

RHEL-08-010163: The krb5-server package must not be installed on RHEL 8.

Description: None

• medium

Automated: yes

• package_krb5-server_removed: Remove the Kerberos Server Package

RHEL-08-010382: RHEL 8 must restrict privilege elevation to authorized personnel.

Description: None

• medium

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

RHEL-08-010383: RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• medium

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

RHEL-08-010384: RHEL 8 must require re-authentication when using the "sudo" command.

Description: None

• medium

Automated: yes

• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
• var_sudo_timestamp_timeout = always_prompt

RHEL-08-010049: RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

RHEL-08-010141: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.

Description: None

• medium

Automated: yes

• grub2_uefi_admin_username: Set the UEFI Boot Loader Admin Username to a Non-Default Value

RHEL-08-010149: RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.

Description: None

• medium

Automated: yes

• grub2_admin_username: Set the Boot Loader Admin Username to a Non-Default Value

RHEL-08-010152: RHEL 8 operating systems must require authentication upon booting into emergency mode.

Description: None

• medium

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

RHEL-08-010159: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm

RHEL-08-010201: RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_idle_timeout: Set SSH Client Alive Interval

RHEL-08-010287: The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.

Description: None

• medium

Automated: yes

• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy

RHEL-08-010472: RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.

Description: None

• low

Automated: yes

• package_rng-tools_installed: Install rng-tools Package

RHEL-08-010522: The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.

Description: None

• medium

Automated: yes

• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

RHEL-08-010544: RHEL 8 must use a separate file system for /var/tmp.

Description: None

• medium

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

RHEL-08-010572: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

Description: None

• medium

Automated: yes

• mount_option_boot_efi_nosuid: Add nosuid Option to /boot/efi

RHEL-08-010731: All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.

Description: None

• medium

Automated: yes

• accounts_users_home_files_permissions: All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

RHEL-08-010741: RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.

Description: None

• medium

Automated: yes

• accounts_users_home_files_groupownership: All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

RHEL-08-020025: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_system_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.

RHEL-08-020026: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_password_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.

RHEL-08-020031: RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period
• var_screensaver_lock_delay = 5_seconds

RHEL-08-020032: RHEL 8 must disable the user list at logon for graphical user interfaces.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

RHEL-08-020081: RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings

RHEL-08-020082: RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_locked: Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period

RHEL-08-020332: RHEL 8 must not allow blank or null passwords in the password-auth file.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

RHEL-08-030181: RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

RHEL-08-030731: RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space

RHEL-08-040101: A firewall must be active on RHEL 8.

Description: None

• medium

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

RHEL-08-040136: The RHEL 8 fapolicy module must be enabled.

Description: None

• medium

Automated: yes

• service_fapolicyd_enabled: Enable the File Access Policy Service

RHEL-08-040137: The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Description: None

• medium

Automated: yes

• fapolicy_default_deny: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

RHEL-08-040139: RHEL 8 must have the USBGuard installed.

Description: None

• medium

Automated: yes

• package_usbguard_installed: Install usbguard Package

RHEL-08-040141: RHEL 8 must enable the USBGuard.

Description: None

• medium

Automated: yes

• service_usbguard_enabled: Enable the USBGuard Service

RHEL-08-040159: All RHEL 8 networked systems must have SSH installed.

Description: None

• medium

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package

RHEL-08-040209: RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

RHEL-08-040239: RHEL 8 must not forward IPv4 source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

RHEL-08-040249: RHEL 8 must not forward IPv4 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

RHEL-08-040279: RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces

RHEL-08-040286: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.

Description: None

• medium

Automated: yes

• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler

RHEL-08-020027: RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.

Description: None

• medium

Automated: yes

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory

RHEL-08-020028: RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.

Description: None

• medium

Automated: yes

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory

RHEL-08-040259: RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_forwarding: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

RHEL-08-010121: The RHEL 8 operating system must not have accounts configured with blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

RHEL-08-010331: RHEL 8 library directories must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions

RHEL-08-010341: RHEL 8 library directories must be owned by root.

Description: None

• medium

Automated: yes

• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership

RHEL-08-010351: RHEL 8 library directories must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership

RHEL-08-010359: The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.

Description: None

• medium

Automated: yes

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE

RHEL-08-010379: RHEL 8 must specify the default "include" directory for the /etc/sudoers file.

Description: None

• medium

Automated: yes

• sudoers_default_includedir: Ensure sudo only includes the default configuration directory

RHEL-08-010385: The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.

Description: None

• medium

Automated: yes

• disallow_bypass_password_sudo: Disallow Configuration to Bypass Password Requirements for Privilege Escalation

RHEL-08-020101: RHEL 8 must ensure the password complexity module is enabled in the system-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth

RHEL-08-020104: RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.

Description: None

• medium

Automated: yes

• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

RHEL-08-040321: The graphical display manager must not be the default target on RHEL 8 unless approved.

Description: None

• medium

Automated: yes

• xwindows_runlevel_target: Disable Graphical Environment Startup By Setting Default Target

RHEL-08-040400: RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

Description: None

• medium

Automated: yes

• selinux_user_login_roles: Map System Users To The Appropriate SELinux Role

RHEL-08-040342: RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

Description: None

• medium

Automated: yes

• sshd_use_approved_kex_ordered_stig: Use Only FIPS 140-2 Validated Key Exchange Algorithms

RHEL-08-010019: RHEL 8 must ensure cryptographic verification of vendor software packages.

Description: None

• medium

Automated: yes

• ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed

RHEL-08-010358: RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.

Description: None

• medium

Automated: yes

• package_mailx_installed: The mailx Package Is Installed

RHEL-08-020035: RHEL 8.7 and higher must terminate idle user sessions.

Description: None

• medium

Automated: yes

• logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
• var_logind_session_timeout = 10_minutes

RHEL-08-020331: RHEL 8 must not allow blank or null passwords in the system-auth file.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

RHEL-08-010296: RHEL 8 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140 Validated Ciphers: openssh.config
• harden_sshd_macs_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

RHEL-08-010297: RHEL 8 SSH client must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: no

No rules selected

RHEL-08-010455: RHEL 8 must elevate the SELinux context when an administrator calls the sudo command.

Description: None

• medium

Automated: yes

• selinux_context_elevation_for_sudo: Elevate The SELinux Context When An Administrator Calls The Sudo Command