Definition of Security Profile Application Guide for Red Hat Enterprise Linux 9 for rhel9

reload_dconf_db: Reload Dconf Database

Description: None

• basic
• intermediate
• advanced

Automated: yes

• dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles

enable_authselect: Enable Authselect

Description: None

• basic
• intermediate
• advanced

Automated: yes

• enable_authselect: Enable authselect
• var_authselect_profile = sssd

A.3.SEC-RHEL1: Session Initiation is Audited

Description: None

• basic
• intermediate
• advanced

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

A.3.SEC-RHEL2: Control Who Can Access Security and Audit Logs

Description: None

• intermediate
• advanced

Automated: yes

• directory_permissions_var_log_audit: System Audit Logs Must Have Mode 0750 or Less Permissive
• file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

A.3.SEC-RHEL3: System Time Change is Controlled

Description: None

• intermediate
• advanced

Automated: yes

• chronyd_run_as_chrony_user: Ensure that chronyd is running under chrony user account
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• package_chrony_installed: The Chrony package is installed
• var_multiple_time_servers = rhel

A.3.SEC-RHEL4: Control Who Can Generate or Modify Audit Rules

Description: None

• intermediate
• advanced

Automated: yes

• file_groupownership_audit_configuration: Audit Configuration Files Must Be Owned By Group root
• file_ownership_audit_configuration: Audit Configuration Files Must Be Owned By Root
• file_permissions_audit_configuration: Audit Configuration Files Permissions are 640 or More Restrictive

A.3.SEC-RHEL5: A Detailed Audit Has Been Implemented Based on Subcategories

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.3.SEC-RHEL6: At Least 90 Days of Activity Logs Are Guaranteed

Description: None

• basic
• intermediate
• advanced

Automated: yes

• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_auditd_max_log_file_action = keep_logs

A.3.SEC-RHEL7: Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups, and Passwords

Description: None

• basic
• intermediate
• advanced

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• audit_sudo_log_events: Record Attempts to perform maintenance activities

A.3.SEC-RHEL8: Changes to Cron Settings and Scheduled Tasks Including Startup Scripts Are Audited

Description: None

• advanced

Automated: no

No rules selected

A.3.SEC-RHEL9: Attempts to Access Critical Items Are Audited

Description: None

• advanced

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

A.3.SEC-RHEL10: All Mount Operations on the System and Changes to the Swap Are Audited

Description: None

• intermediate
• advanced

Automated: no

• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)

A.3.SEC-RHEL11: Modifications in PAM Files Are Audited

Description: None

• advanced

Automated: no

No rules selected

A.4.SEC-RHEL1: Common Users Do Dot Have Local Administrator Permissions and Are Not Included in a Sudo Group

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.4.SEC-RHEL2: The System Has an Updated Antivirus

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.4.SEC-RHEL3: Permissions by Partitions Are Modified

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.5.SEC-RHEL1: Login and Impersonation Permissions Are Controlled

Description: None

• intermediate
• advanced

Automated: yes

• sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

A.5.SEC-RHEL2: Elevation Attempts Are Controlled by Defining Users and Sudoer Groups

Description: None

• basic
• intermediate
• advanced

Automated: yes

• sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo
• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command

A.5.SEC-RHEL3: Access to Encryption Keys is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.5.SEC-RHEL4: Disable Insecure Encryption Algorithms

Description: None

• basic
• intermediate
• advanced

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• var_system_crypto_policy = default_policy

A.5.SEC-RHEL5: Recurring Password Change is Required

Description: None

• basic
• intermediate
• advanced

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• accounts_password_set_warn_age_existing: Set Existing Passwords Warning Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• var_accounts_maximum_age_login_defs = 45
• var_accounts_minimum_age_login_defs = 2
• var_accounts_password_warn_age_login_defs = 10

A.5.SEC-RHEL6: Secure Protocols Are Used For the Network Authentication Processes

Description: None

• basic
• intermediate
• advanced

Automated: yes

• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy

A.5.SEC-RHEL7: Network Session Inactivity is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: yes

• sshd_idle_timeout_value = 15_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval
• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_sshd_set_keepalive = 1

A.5.SEC-RHEL8: Local and Remote Console Inactivity is Controlled

Description: None

• advanced

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 5_min

A.6.SEC-RHEL1: The Security of Sensitive System Objects is Reinforced

Description: None

• intermediate
• advanced

Automated: yes

• grub2_enable_selinux: Ensure SELinux Not Disabled in /etc/default/grub
• package_libselinux_installed: Install libselinux Package
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing

A.6.SEC-RHEL2: Access in Recovery Mode Including Grub Boot Modification Mode is Restricted

Description: None

• basic
• intermediate
• advanced

Automated: yes

• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_groupowner_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
• file_owner_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions
• file_permissions_user_cfg: Verify /boot/grub2/user.cfg Permissions

A.6.SEC-RHEL3: Service Users Shell is Limited to "/bin/false"

Description: None

• intermediate
• advanced

Automated: yes

• no_password_auth_for_systemaccounts: Ensure that System Accounts Are Locked
• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

A.6.SEC-RHEL4: The Use of Sessions With the "root" User is Restricted

Description: None

• intermediate
• advanced

Automated: yes

• ensure_root_password_configured: Ensure Authentication Required for Single User Mode
• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

A.6.SEC-RHEL5: The Global System Mask is Modified To Be More Restrictive

Description: None

• advanced

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs
• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile
• var_accounts_user_umask = 027

A.6.SEC-RHEL6: Unnecessary Groups and Users are Removed From the System

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.8.SEC-RHEL1: Control Who Can Install Software on the System

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.8.SEC-RHEL2: The Operating System is Updated

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.8.SEC-RHEL3: The System Has an Activated Local Firewall

Description: None

• basic
• intermediate
• advanced

Automated: yes

• firewalld_loopback_traffic_restricted: Configure Firewalld to Restrict Loopback Traffic
• firewalld_loopback_traffic_trusted: Configure Firewalld to Trust Loopback Traffic
• package_firewalld_installed: Install firewalld Package
• service_firewalld_enabled: Verify firewalld Enabled
• service_nftables_disabled: Verify nftables Service is Disabled
• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

A.8.SEC-RHEL4: Unnecessary Services are Disabled, Reducing the Attack Surface

Description: None

• intermediate
• advanced

Automated: yes

• kernel_module_squashfs_disabled: Disable Mounting of squashfs
• kernel_module_udf_disabled: Disable Mounting of udf
• package_bind_removed: Uninstall bind Package
• package_cyrus-imapd_removed: Uninstall cyrus-imapd Package
• package_dovecot_removed: Uninstall dovecot Package
• package_net-snmp_removed: Uninstall net-snmp Package
• package_squid_removed: Uninstall squid Package
• package_telnet-server_removed: Uninstall telnet-server Package
• package_tftp-server_removed: Uninstall tftp-server Package
• package_vsftpd_removed: Uninstall vsftpd Package

A.8.SEC-RHEL5: Application Execution is Controlled

Description: None

• advanced

Automated: no

No rules selected

A.8.SEC-RHEL6: Anti-Ransomware Measures are Enabled

Description: None

• basic
• intermediate
• advanced

Automated: no

• sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs
• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

A.8.SEC-RHEL7: Password Encrypted Boot That Prevents Modification is Enabled (Protected GRUB)

Description: None

• basic
• intermediate
• advanced

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

A.8.SEC-RHEL8: File Download is Audited

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.8.SEC-RHEL9: System Compilers are Disabled

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL1: Local Log On To the System is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL2: The Security of the SSH Protocol is Strengthened

Description: None

• basic
• intermediate
• advanced

Automated: yes

• sshd_limit_user_access: Limit Users' SSH Access

A.11.SEC-RHEL3: A Robust Credential Policy is In Place

Description: None

• basic
• intermediate
• advanced

Automated: yes

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• var_password_pam_minclass = 4
• var_password_pam_minlen = 14

A.11.SEC-RHEL4: During Login, the System Displays a Text in Compliance With the Organization's Standards or Directives

Description: None

• basic
• intermediate
• advanced

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• banner_etc_issue_net: Modify the System Login Banner for Remote Connections
• banner_etc_motd: Modify the System Message of the Day Banner
• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner
• dconf_gnome_login_banner_text: Set the GNOME3 Login Warning Banner Text
• login_banner_text = cis_banners
• motd_banner_text = cis_banners
• remote_login_banner_text = cis_banners
• sshd_enable_warning_banner_net: Enable SSH Warning Banner

A.11.SEC-RHEL5: Network Acess to the System is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL6: Only Strong Encryption Algorithms are Allowed in Accesses to the System

Description: None

• basic
• intermediate
• advanced

Automated: yes

No rules selected

A.11.SEC-RHEL7: GUI Idle Time is Limited

Description: None

• intermediate
• advanced

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout
• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period
• inactivity_timeout_value = 5_minutes
• var_screensaver_lock_delay = immediate

A.11.SEC-RHEL8: A Dissuasive Banner is Displayed

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL9: The User List is Disabled

Description: None

• intermediate
• advanced

Automated: yes

• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

A.11.SEC-RHEL10: File History is Disabled

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL11: Key Combination to Launch GTK Inspector is Disabled

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.11.SEC-RHEL12: Auto-Mounting of Removable Devices on the System is Disabled

Description: None

• intermediate
• advanced

Automated: yes

• dconf_gnome_disable_automount: Disable GNOME3 Automounting
• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening
• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

A.15.SEC-RHEL1: The Use of Removable Storage Media is Controlled

Description: None

• intermediate
• advanced

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

A.19.SEC-RHEL1: Access to the Folder and File Tree is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.19.SEC-RHEL2: Measures Are Applied to Protect Accounts

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.19.SEC-RHEL3: A Robust Algorithm and Password Complexity Are Enabled

Description: None

• basic
• intermediate
• advanced

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• var_password_hashing_algorithm = SHA512
• var_password_hashing_algorithm_pam = sha512

A.23.SEC-RHEL1: The Installation And Use of Any Device Connected to the Equipment is Controlled

Description: None

• basic
• intermediate
• advanced

Automated: yes

• package_usbguard_installed: Install usbguard Package
• service_usbguard_enabled: Enable the USBGuard Service
• usbguard_generate_policy: Generate USBGuard Policy

A.23.SEC-RHEL2: The Dynamic Mounting and Unmounting of File Systems is Restricted

Description: None

• basic
• intermediate
• advanced

Automated: no

No rules selected

A.24.SEC-RHEL1: Privileges That Affect System Performance Are Controlled

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.24.SEC-RHEL2: Control Who Can Turn Off the System

Description: None

• intermediate
• advanced

Automated: no

No rules selected

A.25.SEC-RHEL1: System Disk is Encrypted

Description: None

• advanced

Automated: yes

• encrypt_partitions: Encrypt Partitions
• package_cryptsetup-luks_installed: Install cryptsetup Package

A.25.SEC-RHEL2: The Data Disk is Encrypted

Description: None

• advanced

Automated: yes

No rules selected

A.30.SEC-RHEL1: There Is an Account Lockout Policy for Incorrect Logins

Description: None

• advanced

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 8
• var_accounts_passwords_pam_faillock_unlock_time = never