Definition of SYS.1.3 Linux Server (RHEL9) for rhel9

SYS.1.3.A1: ELIMINATED

Description: This requirement has been eliminated.

• basic

Automated: no

No rules selected

SYS.1.3.A2: Careful Allocation of IDs

Description: (1) Each login name, each user ID (UID) and each group ID (GID) MUST ONLY be used once. (2) Every user MUST be a member of at least one group. (3) Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. (4) Every group SHOULD only contain the users that are absolutely necessary. (5) In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.

• basic

Automated: no

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs
• account_unique_name: Ensure All Accounts on the System Have Unique Names
• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group
• group_unique_id: Ensure All Groups on the System Have Unique Group ID
• group_unique_name: Ensure All Groups on the System Have Unique Group Names

SYS.1.3.A3: No Automatic Integration of Removable Drives

Description: (1) Removable media such as USB pen drives or CDs/DVDs MUST NOT be integrated automatically.

• basic

Automated: yes

• bios_disable_usb_boot: Disable Booting from USB Devices in Boot Firmware
• grub2_nousb_argument: Disable Kernel Support for USB via Bootloader Configuration
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• service_autofs_disabled: Disable the Automounter

SYS.1.3.A4: Protection from Exploitation of Vulnerabilities in Applications

Description: (1) ASLR and DEP/NX MUST be activated in the kernel and used by applications to make it harder to exploit vulnerabilities in applications. (2) Security functions of the kernel and of the standard libraries (such as heap and stack protection) MUST NOT be disabled.

• basic

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
• grub2_enable_selinux: Ensure SELinux Not Disabled in /etc/default/grub
• package_libselinux_installed: Install libselinux Package
• selinux_not_disabled: Ensure SELinux is Not Disabled

SYS.1.3.A5: Secure Installation of Software Packages

Description: (1) If software to be installed is to be compiled from source code, it MUST ONLY be unpacked, configured, and compiled using an unprivileged user account. (2) The software to be installed MUST NOT then be installed in the root file system of the server in question in an uncontrolled manner. (3) If the software is compiled from the source text, the selected parameters SHOULD be documented appropriately. (4) Based on this documentation, it SHOULD be possible to compile the software in a transparent and reproducible manner at any time. (5) All further installation steps SHOULD also be documented.

• basic

Automated: no

No rules selected

SYS.1.3.A6: Managing Users and Groups

Description: (1) The corresponding management tools SHOULD be used for managing users and groups. (2) The configuration files /etc/passwd, /etc/shadow, /etc/group, and /etc/sudoers SHOULD NOT be edited directly.

• standard

Automated: no

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SYS.1.3.A7: ELIMINATED

Description: This requirement has been eliminated.

• standard

Automated: no

No rules selected

SYS.1.3.A8: Encrypted Access via Secure Shell

Description: (1) Only Secure Shell (SSH) SHOULD be used to create an encrypted and authenticated interactive connection between two IT systems. (2) All other protocols whose functions are covered by Secure Shell SHOULD be disabled completely. (3) For authentication, users SHOULD primarily use certificates instead of passwords.

• standard

Automated: yes

• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception
• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients
• service_sshd_enabled: Enable the OpenSSH Service
• sshd_allow_only_protocol2: Allow Only SSH Protocol 2
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_disable_root_password_login: Disable SSH root Login with a Password (Insecure)
• sshd_enable_pubkey_auth: Enable Public Key Authentication

SYS.1.3.A9: ELIMINATED

Description: This requirement has been eliminated.

• standard

Automated: no

No rules selected

SYS.1.3.A10: Preventing Further Intrusion When Vulnerabilities Are Exploited

Description: (1) Services and applications SHOULD be protected with individual security architecture (e.g. with AppArmor or SELinux). (2) In addition, chroot environments and LXC or Docker containers SHOULD be taken into account here. (3) It SHOULD be ensured that the standard profiles and rules provided are activated.

• standard

Automated: no

• grub2_enable_selinux: Ensure SELinux Not Disabled in /etc/default/grub
• package_libselinux_installed: Install libselinux Package
• selinux_confinement_of_daemons: Ensure No Daemons are Unconfined by SELinux
• selinux_not_disabled: Ensure SELinux is Not Disabled
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing

SYS.1.3.A11: ELIMINATED

Description: This requirement has been eliminated.

• standard

Automated: no

No rules selected

SYS.1.3.A12: ELIMINATED

Description: This requirement has been eliminated.

• standard

Automated: no

No rules selected

SYS.1.3.A13: ELIMINATED

Description: This requirement has been eliminated.

• elevated

Automated: no

No rules selected

SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information

Description: (1) Information output for users regarding the operating system and access to protocol and configuration files SHOULD be limited to the required minimum. (2) Moreover, confidential information SHOULD NOT be provided as parameters when commands are issued.

• standard

Automated: no

• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_groupowner_at_allow: Verify Group Who Owns /etc/at.allow file
• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
• file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab
• file_groupowner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Group Ownership
• file_groupowner_efi_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_issue: Verify Group Ownership of System Login Banner
• file_groupowner_etc_issue_net: Verify Group Ownership of System Login Banner for Remote Connections
• file_groupowner_etc_motd: Verify Group Ownership of Message of the Day Banner
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_groupowner_etc_shells: Verify Group Who Owns /etc/shells File
• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
• file_groupowner_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_groupownership_audit_binaries: Verify that audit tools are owned by group root
• file_groupownership_audit_configuration: Audit Configuration Files Must Be Owned By Group root
• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group
• file_groupownership_sshd_private_key: Verify Group Ownership on SSH Server Private *_key Key Files
• file_groupownership_sshd_pub_key: Verify Group Ownership on SSH Server Public *.pub Key Files
• file_owner_at_allow: Verify User Who Owns /etc/at.allow file
• file_owner_backup_etc_group: Verify User Who Owns Backup group File
• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
• file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab
• file_owner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg User Ownership
• file_owner_efi_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_issue: Verify ownership of System Login Banner
• file_owner_etc_issue_net: Verify ownership of System Login Banner for Remote Connections
• file_owner_etc_motd: Verify ownership of Message of the Day Banner
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_owner_etc_shells: Verify Who Owns /etc/shells File
• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
• file_owner_sshd_config: Verify Owner on SSH Server config file
• file_owner_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_ownership_audit_binaries: Verify that audit tools are owned by root
• file_ownership_audit_configuration: Audit Configuration Files Must Be Owned By Root
• file_ownership_home_directories: All Interactive User Home Directories Must Be Owned By The Primary User
• file_ownership_sshd_private_key: Verify Ownership on SSH Server Private *_key Key Files
• file_ownership_sshd_pub_key: Verify Ownership on SSH Server Public *.pub Key Files
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_at_allow: Verify Permissions on /etc/at.allow file
• file_permissions_audit_binaries: Verify that audit tools Have Mode 0755 or less
• file_permissions_audit_configuration: Audit Configuration Files Permissions are 640 or More Restrictive
• file_permissions_backup_etc_group: Verify Permissions on Backup group File
• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File
• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File
• file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file
• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly
• file_permissions_crontab: Verify Permissions on crontab
• file_permissions_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Permissions
• file_permissions_efi_user_cfg: Verify /boot/grub2/user.cfg Permissions
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_issue: Verify permissions on System Login Banner
• file_permissions_etc_issue_net: Verify permissions on System Login Banner for Remote Connections
• file_permissions_etc_motd: Verify permissions on Message of the Day Banner
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_shadow: Verify Permissions on shadow File
• file_permissions_etc_shells: Verify Permissions on /etc/shells File
• file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions
• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
• file_permissions_sshd_config: Verify Permissions on SSH Server config file
• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files
• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files
• file_permissions_unauthorized_sgid: Ensure All SGID Executables Are Authorized
• file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized
• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist
• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• file_permissions_user_cfg: Verify /boot/grub2/user.cfg Permissions
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

SYS.1.3.A15: ELIMINATED

Description: This requirement has been eliminated.

• elevated

Automated: no

No rules selected

SYS.1.3.A16: Additional Prevention of Further Intrusion When Vulnerabilities Are Exploited

Description: (1) The use of system calls SHOULD be limited to those absolutely necessary, particularly for exposed services and applications. (2) The standard profiles and/or rules (e.g. of SELinux or AppArmor) SHOULD be checked manually and, if necessary, adapted to an organisation's own security policies. (3) If necessary, new rules and profiles SHOULD be drawn up.

• elevated

Automated: no

No rules selected

SYS.1.3.A17: Additional Kernel Protection

Description: (1) Specially hardened kernels (e.g. grsecurity, PaX) and appropriate protective safeguards such as memory protection or file system protection SHOULD be implemented to prevent exploitation of vulnerabilities and propagation in operating systems.

• elevated

Automated: no

No rules selected