Definition of Red Hat Enterprise Linux 9 Security Technical Implementation Guide for rhel9

needed_rules: None

Description: None

• medium

Automated: no

• enable_authselect: Enable authselect
• var_authselect_profile = sssd

RHEL-09-211010: RHEL 9 must be a vendor-supported release.

Description: None

• high

Automated: yes

• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported

RHEL-09-211015: RHEL 9 vendor packaged system security patches and updates must be installed and up to date.

Description: None

• medium

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

RHEL-09-211020: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = dod_banners

RHEL-09-211025: RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.

Description: None

• medium

Automated: yes

• agent_mfetpd_running: Ensure McAfee Endpoint Security for Linux (ENSL) is running
• package_mcafeetp_installed: Install McAfee Endpoint Security for Linux (ENSL)

RHEL-09-211030: The graphical display manager must not be the default target on RHEL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_runlevel_target: Disable X Windows Startup By Setting Default Target

RHEL-09-211035: RHEL 9 must enable the hardware random number generator entropy gatherer service.

Description: None

• low

Automated: no

No rules selected

RHEL-09-211040: RHEL 9 systemd-journald service must be enabled.

Description: None

• medium

Automated: yes

• service_systemd-journald_enabled: Enable systemd-journald Service

RHEL-09-211045: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action

RHEL-09-211050: The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

RHEL-09-211055: RHEL 9 debug-shell systemd service must be disabled.

Description: None

• medium

Automated: yes

• service_debug-shell_disabled: Disable debug-shell SystemD Service

RHEL-09-212010: RHEL 9 must require a boot loader superuser password.

Description: None

• medium

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

RHEL-09-212015: RHEL 9 must disable the ability of systemd to spawn an interactive boot process.

Description: None

• medium

Automated: yes

• grub2_disable_interactive_boot: Verify that Interactive Boot is Disabled

RHEL-09-212020: RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.

Description: None

• high

Automated: yes

• grub2_admin_username: Set the Boot Loader Admin Username to a Non-Default Value

RHEL-09-212025: RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership

RHEL-09-212030: RHEL 9 /boot/grub2/grub.cfg file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership

RHEL-09-212035: RHEL 9 must disable virtual system calls.

Description: None

• medium

Automated: yes

• grub2_vsyscall_argument: Disable vsyscalls

RHEL-09-212040: RHEL 9 must clear the page allocator to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_page_poison_argument: Enable page allocator poisoning

RHEL-09-212045: RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.

Description: None

• medium

Automated: yes

• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning

RHEL-09-212050: RHEL 9 must enable mitigations against processor-based vulnerabilities.

Description: None

• low

Automated: yes

• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)

RHEL-09-212055: RHEL 9 must enable auditing of processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

RHEL-09-213010: RHEL 9 must restrict access to the kernel message buffer.

Description: None

• medium

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

RHEL-09-213015: RHEL 9 must prevent kernel profiling by nonprivileged users.

Description: None

• medium

Automated: yes

• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

RHEL-09-213020: RHEL 9 must prevent the loading of a new kernel for later execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading

RHEL-09-213025: RHEL 9 must restrict exposed kernel pointer addresses access.

Description: None

• medium

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

RHEL-09-213030: RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks

RHEL-09-213035: RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

Description: None

• medium

Automated: yes

• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

RHEL-09-213040: RHEL 9 must disable the kernel.core_pattern.

Description: None

• medium

Automated: yes

• sysctl_kernel_core_pattern: Disable storing core dumps

RHEL-09-213045: RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.

Description: None

• medium

Automated: yes

• kernel_module_atm_disabled: Disable ATM Support

RHEL-09-213050: RHEL 9 must be configured to disable the Controller Area Network kernel module.

Description: None

• medium

Automated: yes

• kernel_module_can_disabled: Disable CAN Support

RHEL-09-213055: RHEL 9 must be configured to disable the FireWire kernel module.

Description: None

• medium

Automated: yes

• kernel_module_firewire-core_disabled: Disable IEEE 1394 (FireWire) Support

RHEL-09-213060: RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support

RHEL-09-213065: RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

Description: None

• medium

Automated: yes

• kernel_module_tipc_disabled: Disable TIPC Support

RHEL-09-213070: RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

RHEL-09-213075: RHEL 9 must disable access to network bpf system call from nonprivileged processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes

RHEL-09-213080: RHEL 9 must restrict usage of ptrace to descendant processes.

Description: None

• medium

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

RHEL-09-213085: RHEL 9 must disable core dump backtraces.

Description: None

• medium

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces

RHEL-09-213090: RHEL 9 must disable storing core dumps.

Description: None

• medium

Automated: yes

• coredump_disable_storage: Disable storing core dump

RHEL-09-213095: RHEL 9 must disable core dumps for all users.

Description: None

• medium

Automated: yes

• disable_users_coredumps: Disable Core Dumps for All Users

RHEL-09-213100: RHEL 9 must disable acquiring, saving, and processing core dumps.

Description: None

• medium

Automated: yes

• service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps

RHEL-09-213105: RHEL 9 must disable the use of user namespaces.

Description: None

• medium

Automated: yes

• sysctl_user_max_user_namespaces: Disable the use of user namespaces

RHEL-09-213110: RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_exec_shield: Enable ExecShield via sysctl

RHEL-09-213115: The kdump service on RHEL 9 must be disabled.

Description: None

• medium

Automated: yes

• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)

RHEL-09-214010: RHEL 9 must ensure cryptographic verification of vendor software packages.

Description: None

• medium

Automated: yes

• ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed

RHEL-09-214015: RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration

RHEL-09-214020: RHEL 9 must check the GPG signature of locally installed software packages before installation.

Description: None

• high

Automated: yes

• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages

RHEL-09-214025: RHEL 9 must have GPG signature verification enabled for all software repositories.

Description: None

• high

Automated: yes

• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories

RHEL-09-214030: RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.

Description: None

• medium

Automated: no

No rules selected

RHEL-09-214035: RHEL 9 must remove all software components after updated versions have been installed.

Description: None

• low

Automated: yes

• clean_components_post_updating: Ensure dnf Removes Previous Package Versions

RHEL-09-215010: RHEL 9 subscription-manager package must be installed.

Description: None

• medium

Automated: yes

• package_subscription-manager_installed: Install subscription-manager Package

RHEL-09-215015: RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

Description: None

• high

Automated: yes

• package_vsftpd_removed: Uninstall vsftpd Package

RHEL-09-215020: RHEL 9 must not have the sendmail package installed.

Description: None

• medium

Automated: yes

• package_sendmail_removed: Uninstall Sendmail Package

RHEL-09-215025: RHEL 9 must not have the nfs-utils package installed.

Description: None

• medium

Automated: yes

• package_nfs-utils_removed: Uninstall nfs-utils Package

RHEL-09-215030: RHEL 9 must not have the ypserv package installed.

Description: None

• medium

Automated: yes

• package_ypserv_removed: Uninstall ypserv Package

RHEL-09-215035: RHEL 9 must not have the rsh-server package installed.

Description: None

• medium

Automated: yes

• package_rsh-server_removed: Uninstall rsh-server Package

RHEL-09-215040: RHEL 9 must not have the telnet-server package installed.

Description: None

• medium

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

RHEL-09-215045: RHEL 9 must not have the gssproxy package installed.

Description: None

• medium

Automated: yes

• package_gssproxy_removed: Uninstall gssproxy Package

RHEL-09-215050: RHEL 9 must not have the iprutils package installed.

Description: None

• medium

Automated: yes

• package_iprutils_removed: Uninstall iprutils Package

RHEL-09-215055: RHEL 9 must not have the tuned package installed.

Description: None

• medium

Automated: yes

• package_tuned_removed: Uninstall tuned Package

RHEL-09-215060: RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.

Description: None

• high

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package

RHEL-09-215065: RHEL 9 must not have the quagga package installed.

Description: None

• medium

Automated: yes

• package_quagga_removed: Uninstall quagga Package

RHEL-09-215070: A graphical display manager must not be installed on RHEL 9 unless approved.

Description: None

• medium

Automated: yes

• xwindows_remove_packages: Disable graphical user interface

RHEL-09-215075: RHEL 9 must have the openssl-pkcs11 package installed.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

RHEL-09-215080: RHEL 9 must have the gnutls-utils package installed.

Description: None

• medium

Automated: yes

• package_gnutls-utils_installed: Ensure gnutls-utils is installed

RHEL-09-215085: RHEL 9 must have the nss-tools package installed.

Description: None

• medium

Automated: yes

• package_nss-tools_installed: Ensure nss-tools is installed

RHEL-09-215090: RHEL 9 must have the rng-tools package installed.

Description: None

• medium

Automated: yes

• package_rng-tools_installed: Install rng-tools Package

RHEL-09-215095: RHEL 9 must have the s-nail package installed.

Description: None

• medium

Automated: yes

• package_s-nail_installed: The s-nail Package Is Installed

RHEL-09-231010: A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).

Description: None

• medium

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

RHEL-09-231015: RHEL 9 must use a separate file system for /tmp.

Description: None

• medium

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

RHEL-09-231020: RHEL 9 must use a separate file system for /var.

Description: None

• low

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

RHEL-09-231025: RHEL 9 must use a separate file system for /var/log.

Description: None

• low

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

RHEL-09-231030: RHEL 9 must use a separate file system for the system audit data path.

Description: None

• low

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

RHEL-09-231035: RHEL 9 must use a separate file system for /var/tmp.

Description: None

• medium

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

RHEL-09-231040: RHEL 9 file system automount function must be disabled unless required.

Description: None

• medium

Automated: yes

• service_autofs_disabled: Disable the Automounter

RHEL-09-231045: RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nodev: Add nodev Option to /home

RHEL-09-231050: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

RHEL-09-231055: RHEL 9 must prevent code from being executed on file systems that contain user home directories.

Description: None

• medium

Automated: yes

• mount_option_home_noexec: Add noexec Option to /home

RHEL-09-231060: RHEL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.

Description: None

• medium

Automated: yes

• mount_option_krb_sec_remote_filesystems: Mount Remote Filesystems with Kerberos Security

RHEL-09-231065: RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nodev_remote_filesystems: Mount Remote Filesystems with nodev

RHEL-09-231070: RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec

RHEL-09-231075: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).

Description: None

• medium

Automated: yes

• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid

RHEL-09-231080: RHEL 9 must prevent code from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

RHEL-09-231085: RHEL 9 must prevent special devices on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions

RHEL-09-231090: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.

Description: None

• medium

Automated: yes

• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

RHEL-09-231095: RHEL 9 must mount /boot with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_boot_nodev: Add nodev Option to /boot

RHEL-09-231100: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.

Description: None

• medium

Automated: yes

• mount_option_boot_nosuid: Add nosuid Option to /boot

RHEL-09-231105: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

Description: None

• medium

Automated: yes

• mount_option_boot_efi_nosuid: Add nosuid Option to /boot/efi

RHEL-09-231110: RHEL 9 must mount /dev/shm with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

RHEL-09-231115: RHEL 9 must mount /dev/shm with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

RHEL-09-231120: RHEL 9 must mount /dev/shm with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

RHEL-09-231125: RHEL 9 must mount /tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp

RHEL-09-231130: RHEL 9 must mount /tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_tmp_noexec: Add noexec Option to /tmp

RHEL-09-231135: RHEL 9 must mount /tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_tmp_nosuid: Add nosuid Option to /tmp

RHEL-09-231140: RHEL 9 must mount /var with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_nodev: Add nodev Option to /var

RHEL-09-231145: RHEL 9 must mount /var/log with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log

RHEL-09-231150: RHEL 9 must mount /var/log with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_noexec: Add noexec Option to /var/log

RHEL-09-231155: RHEL 9 must mount /var/log with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_nosuid: Add nosuid Option to /var/log

RHEL-09-231160: RHEL 9 must mount /var/log/audit with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

RHEL-09-231165: RHEL 9 must mount /var/log/audit with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

RHEL-09-231170: RHEL 9 must mount /var/log/audit with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

RHEL-09-231175: RHEL 9 must mount /var/tmp with the nodev option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

RHEL-09-231180: RHEL 9 must mount /var/tmp with the noexec option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

RHEL-09-231185: RHEL 9 must mount /var/tmp with the nosuid option.

Description: None

• medium

Automated: yes

• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

RHEL-09-231190: RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

RHEL-09-231195: RHEL 9 must disable mounting of cramfs.

Description: None

• low

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

RHEL-09-231200: RHEL 9 must prevent special devices on non-root local partitions.

Description: None

• medium

Automated: yes

• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions

RHEL-09-232010: RHEL 9 system commands must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions

RHEL-09-232015: RHEL 9 library directories must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions

RHEL-09-232020: RHEL 9 library files must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions

RHEL-09-232025: RHEL 9 /var/log directory must have mode 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log: Verify Permissions on /var/log Directory

RHEL-09-232030: RHEL 9 /var/log/messages file must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_var_log_messages: Verify Permissions on /var/log/messages File

RHEL-09-232035: RHEL 9 audit tools must have a mode of 0755 or less permissive.

Description: None

• medium

Automated: yes

• file_audit_tools_permissions: Audit Tools Must Have a Mode of 0755 or Less Permissive

RHEL-09-232040: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly

RHEL-09-232045: All RHEL 9 local initialization files must have mode 0740 or less permissive.

Description: None

• medium

Automated: yes

• file_permission_user_init_files_root: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
• var_user_initialization_files_regex = all_dotfiles

RHEL-09-232050: All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

RHEL-09-232055: RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_group: Verify Permissions on group File

RHEL-09-232060: RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_group: Verify Permissions on Backup group File

RHEL-09-232065: RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_gshadow: Verify Permissions on gshadow File

RHEL-09-232070: RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File

RHEL-09-232075: RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_passwd: Verify Permissions on passwd File

RHEL-09-232080: RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File

RHEL-09-232085: RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File

RHEL-09-232090: RHEL 9 /etc/group file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_group: Verify User Who Owns group File

RHEL-09-232095: RHEL 9 /etc/group file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_group: Verify Group Who Owns group File

RHEL-09-232100: RHEL 9 /etc/group- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_group: Verify User Who Owns Backup group File

RHEL-09-232105: RHEL 9 /etc/group- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File

RHEL-09-232110: RHEL 9 /etc/gshadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_gshadow: Verify User Who Owns gshadow File

RHEL-09-232115: RHEL 9 /etc/gshadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File

RHEL-09-232120: RHEL 9 /etc/gshadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File

RHEL-09-232125: RHEL 9 /etc/gshadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File

RHEL-09-232130: RHEL 9 /etc/passwd file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_passwd: Verify User Who Owns passwd File

RHEL-09-232135: RHEL 9 /etc/passwd file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_passwd: Verify Group Who Owns passwd File

RHEL-09-232140: RHEL 9 /etc/passwd- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File

RHEL-09-232145: RHEL 9 /etc/passwd- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File

RHEL-09-232150: RHEL 9 /etc/shadow file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_etc_shadow: Verify User Who Owns shadow File

RHEL-09-232155: RHEL 9 /etc/shadow file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_etc_shadow: Verify Group Who Owns shadow File

RHEL-09-232160: RHEL 9 /etc/shadow- file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File

RHEL-09-232165: RHEL 9 /etc/shadow- file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File

RHEL-09-232170: RHEL 9 /var/log directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log: Verify User Who Owns /var/log Directory

RHEL-09-232175: RHEL 9 /var/log directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log: Verify Group Who Owns /var/log Directory

RHEL-09-232180: RHEL 9 /var/log/messages file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_var_log_messages: Verify User Who Owns /var/log/messages File

RHEL-09-232185: RHEL 9 /var/log/messages file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_var_log_messages: Verify Group Who Owns /var/log/messages File

RHEL-09-232190: RHEL 9 system commands must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership

RHEL-09-232195: RHEL 9 system commands must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account

RHEL-09-232200: RHEL 9 library files must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership

RHEL-09-232205: RHEL 9 library files must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

RHEL-09-232210: RHEL 9 library directories must be owned by root.

Description: None

• medium

Automated: yes

• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership

RHEL-09-232215: RHEL 9 library directories must be group-owned by root or a system account.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership

RHEL-09-232220: RHEL 9 audit tools must be owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_ownership: Audit Tools Must Be Owned by Root

RHEL-09-232225: RHEL 9 audit tools must be group-owned by root.

Description: None

• medium

Automated: yes

• file_audit_tools_group_ownership: Audit Tools Must Be Group-owned by Root

RHEL-09-232230: RHEL 9 cron configuration files directory must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_deny: Verify Owner on cron.deny
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab

RHEL-09-232235: RHEL 9 cron configuration files directory must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_deny: Verify Group Who Owns cron.deny
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab

RHEL-09-232240: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User

RHEL-09-232245: A sticky bit must be set on all RHEL 9 public directories.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

RHEL-09-232250: All RHEL 9 local files and directories must have a valid group owner.

Description: None

• medium

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

RHEL-09-232255: All RHEL 9 local files and directories must have a valid owner.

Description: None

• medium

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

RHEL-09-232260: RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Description: None

• medium

Automated: yes

• selinux_all_devicefiles_labeled: Ensure No Device Files are Unlabeled by SELinux

RHEL-09-232265: RHEL 9 /etc/crontab file must have mode 0600.

Description: None

• medium

Automated: yes

• file_permissions_crontab: Verify Permissions on crontab

RHEL-09-232270: RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_shadow: Verify Permissions on shadow File

RHEL-09-251010: RHEL 9 must have the firewalld package installed.

Description: None

• medium

Automated: yes

• package_firewalld_installed: Install firewalld Package

RHEL-09-251015: The firewalld service on RHEL 9 must be active.

Description: None

• medium

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

RHEL-09-251020: A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Description: None

• medium

Automated: yes

• configured_firewalld_default_deny: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

RHEL-09-251025: RHEL 9 must control remote access methods.

Description: None

• medium

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports

RHEL-09-251030: RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.

Description: None

• medium

Automated: yes

• firewalld-backend: Configure Firewalld to Use the Nftables Backend

RHEL-09-251035: RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Description: None

• medium

Automated: yes

• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception

RHEL-09-251040: RHEL 9 network interfaces must not be in promiscuous mode.

Description: None

• medium

Automated: yes

• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer

RHEL-09-251045: RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

Description: None

• medium

Automated: yes

• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler

RHEL-09-252010: RHEL 9 must have the chrony package installed.

Description: None

• medium

Automated: yes

• package_chrony_installed: The Chrony package is installed

RHEL-09-252015: RHEL 9 chronyd service must be enabled.

Description: None

• medium

Automated: yes

• service_chronyd_enabled: The Chronyd service is enabled

RHEL-09-252020: RHEL 9 must securely compare internal information system clocks at least every 24 hours.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_server_directive: Ensure Chrony is only configured with the server directive
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• var_multiple_time_servers = stig
• var_time_service_set_maxpoll = 18_hours

RHEL-09-252025: RHEL 9 must disable the chrony daemon from acting as a server.

Description: None

• low

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server

RHEL-09-252030: RHEL 9 must disable network management of the chrony daemon.

Description: None

• low

Automated: yes

• chronyd_no_chronyc_network: Disable network management of chrony daemon

RHEL-09-252035: RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.

Description: None

• medium

Automated: yes

• network_configure_name_resolution: Configure Multiple DNS Servers in /etc/resolv.conf

RHEL-09-252040: RHEL 9 must configure a DNS processing mode set be Network Manager.

Description: None

• medium

Automated: yes

• networkmanager_dns_mode: NetworkManager DNS Mode Must Be Must Configured
• var_networkmanager_dns_mode = none

RHEL-09-252045: RHEL 9 must not have unauthorized IP tunnels configured.

Description: None

• medium

Automated: yes

• libreswan_approved_tunnels: Verify Any Configured IPSec Tunnel Connections

RHEL-09-252050: RHEL 9 must be configured to prevent unrestricted mail relaying.

Description: None

• medium

Automated: yes

• postfix_prevent_unrestricted_relay: Prevent Unrestricted Mail Relaying

RHEL-09-252055: If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode.

Description: None

• medium

Automated: yes

• tftpd_uses_secure_mode: Ensure tftp Daemon Uses Secure Mode

RHEL-09-252060: RHEL 9 must forward mail from postmaster to the root account using a postfix alias.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias_postmaster: Configure System to Forward All Mail From Postmaster to The Root Account

RHEL-09-252065: RHEL 9 libreswan package must be installed.

Description: None

• medium

Automated: yes

• package_libreswan_installed: Install libreswan Package

RHEL-09-252070: There must be no shosts.equiv files on RHEL 9.

Description: None

• high

Automated: yes

• no_host_based_files: Remove Host-Based Authentication Files

RHEL-09-252075: There must be no .shosts files on RHEL 9.

Description: None

• high

Automated: yes

• no_user_host_based_files: Remove User Host-Based Authentication Files

RHEL-09-253010: RHEL 9 must be configured to use TCP syncookies.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

RHEL-09-253015: RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces

RHEL-09-253020: RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

RHEL-09-253025: RHEL 9 must log IPv4 packets with impossible addresses.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

RHEL-09-253030: RHEL 9 must log IPv4 packets with impossible addresses by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

RHEL-09-253035: RHEL 9 must use reverse path filtering on all IPv4 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

RHEL-09-253040: RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

RHEL-09-253045: RHEL 9 must not forward IPv4 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

RHEL-09-253050: RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

RHEL-09-253055: RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

RHEL-09-253060: RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

RHEL-09-253065: RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

RHEL-09-253070: RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

RHEL-09-253075: RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_forwarding: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

RHEL-09-254010: RHEL 9 must not accept router advertisements on all IPv6 interfaces.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces

RHEL-09-254015: RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces

RHEL-09-254020: RHEL 9 must not forward IPv6 source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

RHEL-09-254025: RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

RHEL-09-254030: RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

RHEL-09-254035: RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

RHEL-09-254040: RHEL 9 must not forward IPv6 source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

RHEL-09-255010: All RHEL 9 networked systems must have SSH installed.

Description: None

• medium

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package

RHEL-09-255015: All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.

Description: None

• medium

Automated: yes

• service_sshd_enabled: Enable the OpenSSH Service

RHEL-09-255020: RHEL 9 must have the openssh-clients package installed.

Description: None

• medium

Automated: yes

• package_openssh-clients_installed: Install OpenSSH client software

RHEL-09-255025: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.

Description: None

• medium

Automated: yes

• sshd_enable_warning_banner: Enable SSH Warning Banner

RHEL-09-255030: RHEL 9 must log SSH connection attempts and failures to the server.

Description: None

• medium

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

RHEL-09-255035: RHEL 9 SSHD must accept public key authentication.

Description: None

• medium

Automated: yes

• sshd_enable_pubkey_auth: Enable Public Key Authentication

RHEL-09-255040: RHEL 9 SSHD must not allow blank passwords.

Description: None

• high

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

RHEL-09-255045: RHEL 9 must not permit direct logons to the root account using remote access via SSH.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

RHEL-09-255050: RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

Description: None

• high

Automated: yes

• sshd_enable_pam: Enable PAM

RHEL-09-255055: RHEL 9 SSH daemon must be configured to use system-wide crypto policies.

Description: None

• medium

Automated: yes

• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy

RHEL-09-255060: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_openssh_conf_crypto_policy: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
• sshd_approved_ciphers = stig_rhel9

RHEL-09-255065: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.

Description: None

• medium

Automated: yes

• harden_sshd_ciphers_opensshserver_conf_crypto_policy: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

RHEL-09-255075: RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

Description: None

• medium

Automated: no

No rules selected

RHEL-09-255080: RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.

Description: None

• medium

Automated: yes

• disable_host_auth: Disable Host-Based Authentication

RHEL-09-255085: RHEL 9 must not allow users to override SSH environment variables.

Description: None

• medium

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

RHEL-09-255090: RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.

Description: None

• medium

Automated: yes

• sshd_rekey_limit: Force frequent session key renegotiation
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour

RHEL-09-255095: RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_sshd_set_keepalive = 1

RHEL-09-255100: RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_idle_timeout_value = 10_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval

RHEL-09-255105: RHEL 9 SSH server configuration file must be group-owned by root.

Description: None

• medium

Automated: yes

• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file

RHEL-09-255110: RHEL 9 SSH server configuration file must be owned by root.

Description: None

• medium

Automated: yes

• file_owner_sshd_config: Verify Owner on SSH Server config file

RHEL-09-255115: RHEL 9 SSH server configuration file must have mode 0600 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_config: Verify Permissions on SSH Server config file

RHEL-09-255120: RHEL 9 SSH private host key files must have mode 0640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

RHEL-09-255125: RHEL 9 SSH public host key files must have mode 0644 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

RHEL-09-255130: RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.

Description: None

• medium

Automated: yes

• sshd_disable_compression: Disable Compression Or Set Compression to delayed
• var_sshd_disable_compression = no

RHEL-09-255135: RHEL 9 SSH daemon must not allow GSSAPI authentication.

Description: None

• medium

Automated: yes

• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

RHEL-09-255140: RHEL 9 SSH daemon must not allow Kerberos authentication.

Description: None

• medium

Automated: yes

• sshd_disable_kerb_auth: Disable Kerberos Authentication

RHEL-09-255145: RHEL 9 SSH daemon must not allow rhosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

RHEL-09-255150: RHEL 9 SSH daemon must not allow known hosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

RHEL-09-255155: RHEL 9 SSH daemon must disable remote X connections for interactive users.

Description: None

• medium

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

RHEL-09-255160: RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.

Description: None

• medium

Automated: yes

• sshd_enable_strictmodes: Enable Use of Strict Mode Checking

RHEL-09-255165: RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• medium

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

RHEL-09-255170: RHEL 9 SSH daemon must be configured to use privilege separation.

Description: None

• medium

Automated: yes

• sshd_use_priv_separation: Enable Use of Privilege Separation

RHEL-09-255175: RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.

Description: None

• medium

Automated: yes

• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display

RHEL-09-271010: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

RHEL-09-271015: RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner

RHEL-09-271020: RHEL 9 must disable the graphical user interface automount function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

RHEL-09-271025: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

RHEL-09-271030: RHEL 9 must disable the graphical user interface autorun function unless required.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

RHEL-09-271035: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_autorun: Disable GNOME3 Automount running

RHEL-09-271040: RHEL 9 must not allow unattended or automatic logon via the graphical user interface.

Description: None

• high

Automated: yes

• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login

RHEL-09-271045: RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

RHEL-09-271050: RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.

Description: None

• medium

Automated: yes

• dconf_gnome_lock_screen_on_smartcard_removal: Enable the GNOME3 Screen Locking On Smartcard Removal

RHEL-09-271055: RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

RHEL-09-271060: RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_enabled: Enable GNOME3 Screensaver Lock After Idle Period

RHEL-09-271065: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout

RHEL-09-271070: RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings

RHEL-09-271075: RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period

RHEL-09-271080: RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings

RHEL-09-271085: RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Description: None

• medium

Automated: yes

• dconf_gnome_screensaver_mode_blank: Implement Blank Screensaver

RHEL-09-271090: RHEL 9 effective dconf policy must match the policy keyfiles.

Description: None

• medium

Automated: yes

• dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles

RHEL-09-271095: RHEL 9 must disable the ability of a user to restart the system from the login screen.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

RHEL-09-271100: RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_restart_shutdown: Disable the GNOME3 Login Restart and Shutdown Buttons

RHEL-09-271105: RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

RHEL-09-271110: RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

RHEL-09-271115: RHEL 9 must disable the user list at logon for graphical user interfaces.

Description: None

• medium

Automated: yes

• dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

RHEL-09-291010: RHEL 9 must be configured to disable USB mass storage.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

RHEL-09-291015: RHEL 9 must have the USBGuard package installed.

Description: None

• medium

Automated: yes

• package_usbguard_installed: Install usbguard Package

RHEL-09-291020: RHEL 9 must have the USBGuard package enabled.

Description: None

• medium

Automated: yes

• service_usbguard_enabled: Enable the USBGuard Service

RHEL-09-291025: RHEL 9 must enable Linux audit logging for the USBGuard daemon.

Description: None

• low

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit

RHEL-09-291030: RHEL 9 must block unauthorized peripherals before establishing a connection.

Description: None

• medium

Automated: yes

• usbguard_generate_policy: Generate USBGuard Policy

RHEL-09-291035: RHEL 9 Bluetooth must be disabled.

Description: None

• medium

Automated: yes

• kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module

RHEL-09-291040: RHEL 9 wireless network adapters must be disabled.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

RHEL-09-411010: RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age

RHEL-09-411015: RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.

Description: None

• medium

Automated: yes

• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 60

RHEL-09-411020: All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.

Description: None

• medium

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

RHEL-09-411025: RHEL 9 must set the umask value to 077 for all local interactive user accounts.

Description: None

• medium

Automated: yes

• accounts_umask_interactive_users: Ensure the Default Umask is Set Correctly For Interactive Users
• var_accounts_user_umask = 077

RHEL-09-411030: RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

RHEL-09-411035: RHEL 9 system accounts must not have an interactive login shell.

Description: None

• medium

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

RHEL-09-411040: RHEL 9 must automatically expire temporary accounts within 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

RHEL-09-411045: All RHEL 9 interactive users must have a primary group that exists.

Description: None

• medium

Automated: yes

• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

RHEL-09-411050: RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity
• var_account_disable_post_pw_expiration = 35

RHEL-09-411055: Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.

Description: None

• medium

Automated: yes

• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

RHEL-09-411060: All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined

RHEL-09-411065: All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

RHEL-09-411070: All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.

Description: None

• medium

Automated: yes

• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

RHEL-09-411075: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3

RHEL-09-411080: RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts

RHEL-09-411085: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• var_accounts_passwords_pam_faillock_fail_interval = 900

RHEL-09-411090: RHEL 9 must maintain an account lock until the locked account is released by an administrator.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_unlock_time = never

RHEL-09-411095: RHEL 9 must not have unauthorized accounts.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
• var_accounts_authorized_local_users_regex = rhel9

RHEL-09-411100: The root account must be the only account having unrestricted access to RHEL 9 system.

Description: None

• high

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

RHEL-09-411105: RHEL 9 must ensure account lockouts persist.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_dir: Lock Accounts Must Persist

RHEL-09-411110: RHEL 9 groups must have unique Group ID (GID).

Description: None

• medium

Automated: yes

• group_unique_id: Ensure All Groups on the System Have Unique Group ID

RHEL-09-411115: Local RHEL 9 initialization files must not execute world-writable programs.

Description: None

• medium

Automated: yes

• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

RHEL-09-412010: RHEL 9 must have the tmux package installed.

Description: None

• medium

Automated: yes

• package_tmux_installed: Install the tmux Package

RHEL-09-412015: RHEL 9 must ensure session control is automatically started at shell initialization.

Description: None

• medium

Automated: yes

• configure_bashrc_tmux: Support session locking with tmux (not enforcing)

RHEL-09-412020: RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.

Description: None

• medium

Automated: yes

• configure_tmux_lock_command: Configure the tmux Lock Command
• configure_tmux_lock_keybinding: Configure the tmux lock session key binding

RHEL-09-412025: RHEL 9 must automatically lock command line user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• configure_tmux_lock_after_time: Configure tmux to lock session after inactivity

RHEL-09-412030: RHEL 9 must prevent users from disabling session control mechanisms.

Description: None

• low

Automated: yes

• no_tmux_in_shells: Prevent user from disabling the screen lock

RHEL-09-412035: RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout

RHEL-09-412040: RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

RHEL-09-412045: RHEL 9 must log username information when unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faillock_audit: Account Lockouts Must Be Logged

RHEL-09-412050: RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs
• var_accounts_fail_delay = 4

RHEL-09-412055: RHEL 9 must define default permissions for the bash shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly

RHEL-09-412060: RHEL 9 must define default permissions for the c shell.

Description: None

• medium

Automated: yes

• accounts_umask_etc_csh_cshrc: Ensure the Default C Shell Umask is Set Correctly

RHEL-09-412065: RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

RHEL-09-412070: RHEL 9 must define default permissions for the system default profile.

Description: None

• medium

Automated: yes

• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile

RHEL-09-412075: RHEL 9 must display the date and time of the last successful account logon upon logon.

Description: None

• low

Automated: yes

• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification

RHEL-09-412080: RHEL 9 must terminate idle user sessions.

Description: None

• medium

Automated: yes

• logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
• var_logind_session_timeout = 15_minutes

RHEL-09-431010: RHEL 9 must use a Linux Security Module configured to enforce limits on system services.

Description: None

• high

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

RHEL-09-431015: RHEL 9 must enable the SELinux targeted policy.

Description: None

• medium

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

RHEL-09-431020: RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.

Description: None

• medium

Automated: yes

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory

RHEL-09-431025: RHEL 9 must have policycoreutils package installed.

Description: None

• medium

Automated: yes

• package_policycoreutils_installed: Install policycoreutils Package

RHEL-09-431030: RHEL 9 policycoreutils-python-utils package must be installed.

Description: None

• medium

Automated: yes

• package_policycoreutils-python-utils_installed: Install policycoreutils-python-utils package

RHEL-09-432010: RHEL 9 must have the sudo package installed.

Description: None

• medium

Automated: yes

• package_sudo_installed: Install sudo Package

RHEL-09-432015: RHEL 9 must require reauthentication when using the "sudo" command.

Description: None

• medium

Automated: yes

• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command

RHEL-09-432020: RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• medium

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

RHEL-09-432025: RHEL 9 must require users to reauthenticate for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

RHEL-09-432030: RHEL 9 must restrict privilege elevation to authorized personnel.

Description: None

• medium

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

RHEL-09-432035: RHEL 9 must restrict the use of the "su" command.

Description: None

• medium

Automated: yes

• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

RHEL-09-433010: RHEL 9 fapolicy module must be installed.

Description: None

• medium

Automated: yes

• package_fapolicyd_installed: Install fapolicyd Package

RHEL-09-433015: RHEL 9 fapolicy module must be enabled.

Description: None

• medium

Automated: yes

• service_fapolicyd_enabled: Enable the File Access Policy Service

RHEL-09-611010: RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.

Description: None

• medium

Automated: yes

• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• var_password_pam_retry = 3

RHEL-09-611015: RHEL 9 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember_password_auth: Limit Password Reuse: password-auth
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite_or_required

RHEL-09-611020: RHEL 9 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember_system_auth: Limit Password Reuse: system-auth

RHEL-09-611025: RHEL 9 must not allow blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

RHEL-09-611030: RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_system_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.

RHEL-09-611035: RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Description: None

• medium

Automated: yes

• account_password_pam_faillock_password_auth: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.

RHEL-09-611040: RHEL 9 must ensure the password complexity module is enabled in the password-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth

RHEL-09-611045: RHEL 9 must ensure the password complexity module is enabled in the system-auth file.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth

RHEL-09-611050: RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_password_auth: Set number of Password Hashing Rounds - password-auth
• var_password_pam_unix_rounds = 5000

RHEL-09-611055: RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• accounts_password_pam_unix_rounds_system_auth: Set number of Password Hashing Rounds - system-auth

RHEL-09-611060: RHEL 9 must enforce password complexity rules for the root account.

Description: None

• medium

Automated: yes

• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User

RHEL-09-611065: RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• var_password_pam_lcredit = 1

RHEL-09-611070: RHEL 9 must enforce password complexity by requiring that at least one numeric character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• var_password_pam_dcredit = 1

RHEL-09-611075: RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age

RHEL-09-611080: RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

RHEL-09-611085: RHEL 9 must require users to provide a password for privilege escalation.

Description: None

• medium

Automated: yes

• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

RHEL-09-611090: RHEL 9 passwords must be created with a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• var_password_pam_minlen = 15

RHEL-09-611095: RHEL 9 passwords for new users must have a minimum of 15 characters.

Description: None

• medium

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs

RHEL-09-611100: RHEL 9 must enforce password complexity by requiring that at least one special character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• var_password_pam_ocredit = 1

RHEL-09-611105: RHEL 9 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
• var_password_pam_dictcheck = 1

RHEL-09-611110: RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used.

Description: None

• medium

Automated: yes

• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_ucredit = 1

RHEL-09-611115: RHEL 9 must require the change of at least eight characters when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters
• var_password_pam_difok = 8

RHEL-09-611120: RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxclassrepeat: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
• var_password_pam_maxclassrepeat = 4

RHEL-09-611125: RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters
• var_password_pam_maxrepeat = 3

RHEL-09-611130: RHEL 9 must require the change of at least four character classes when passwords are changed.

Description: None

• medium

Automated: yes

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• var_password_pam_minclass = 4

RHEL-09-611135: RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf

RHEL-09-611140: RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• var_password_hashing_algorithm = SHA512

RHEL-09-611145: RHEL 9 must not be configured to bypass password requirements for privilege escalation.

Description: None

• medium

Automated: yes

• disallow_bypass_password_sudo: Disallow Configuration to Bypass Password Requirements for Privilege Escalation

RHEL-09-611150: RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.

Description: None

• medium

Automated: yes

• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

RHEL-09-611155: RHEL 9 must not have accounts configured with blank or null passwords.

Description: None

• medium

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

RHEL-09-611160: RHEL 9 must use the CAC smart card driver.

Description: None

• medium

Automated: yes

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• var_smartcard_drivers = cac

RHEL-09-611165: RHEL 9 must enable certificate based smart card authentication.

Description: None

• medium

Automated: yes

• sssd_enable_smartcards: Enable Smartcards in SSSD

RHEL-09-611170: RHEL 9 must implement certificate status checking for multifactor authentication.

Description: None

• medium

Automated: yes

• sssd_certificate_verification: Certificate status checking in SSSD
• var_sssd_certificate_verification_digest_function = sha512

RHEL-09-611175: RHEL 9 must have the pcsc-lite package installed.

Description: None

• medium

Automated: yes

• package_pcsc-lite_installed: Install the pcsc-lite package

RHEL-09-611180: The pcscd service on RHEL 9 must be active.

Description: None

• medium

Automated: yes

• service_pcscd_enabled: Enable the pcscd Service

RHEL-09-611185: RHEL 9 must have the opensc package installed.

Description: None

• medium

Automated: yes

• package_opensc_installed: Install the opensc Package For Multifactor Authentication

RHEL-09-611190: RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: yes

• ssh_keys_passphrase_protected: Verify the SSH Private Key Files Have a Passcode

RHEL-09-611195: RHEL 9 must require authentication to access emergency mode.

Description: None

• medium

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

RHEL-09-611200: RHEL 9 must require authentication to access single-user mode.

Description: None

• medium

Automated: yes

• require_singleuser_auth: Require Authentication for Single User Mode

RHEL-09-611205: RHEL 9 must prevent system daemons from using Kerberos for authentication.

Description: None

• medium

Automated: yes

• kerberos_disable_no_keytab: Disable Kerberos by removing host keytab

RHEL-09-631010: RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: yes

• sssd_has_trust_anchor: SSSD Has a Correct Trust Anchor

RHEL-09-631015: RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.

Description: None

• medium

Automated: yes

• sssd_enable_certmap: Enable Certmap in SSSD

RHEL-09-631020: RHEL 9 must prohibit the use of cached authenticators after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

RHEL-09-651010: RHEL 9 must have the AIDE package installed.

Description: None

• medium

Automated: yes

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE

RHEL-09-651015: RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.

Description: None

• medium

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

RHEL-09-651020: RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.

Description: None

• medium

Automated: yes

• aide_use_fips_hashes: Configure AIDE to Use FIPS 140-2 for Validating Hashes

RHEL-09-651025: RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.

Description: None

• medium

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

RHEL-09-651030: RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).

Description: None

• low

Automated: yes

• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)

RHEL-09-651035: RHEL 9 must be configured so that the file integrity tool verifies extended attributes.

Description: None

• low

Automated: yes

• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes

RHEL-09-652010: RHEL 9 must have the rsyslog package installed.

Description: None

• medium

Automated: yes

• package_rsyslog_installed: Ensure rsyslog is Installed

RHEL-09-652015: RHEL 9 must have the packages required for encrypting offloaded audit logs installed.

Description: None

• medium

Automated: yes

• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed

RHEL-09-652020: The rsyslog service on RHEL 9 must be active.

Description: None

• medium

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

RHEL-09-652025: RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

Description: None

• medium

Automated: yes

• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

RHEL-09-652030: All RHEL 9 remote access methods must be monitored.

Description: None

• medium

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog

RHEL-09-652035: RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.

Description: None

• medium

Automated: yes

• auditd_audispd_syslog_plugin_activated: Configure auditd to use audispd's syslog plugin

RHEL-09-652040: RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdriverauthmode: Ensure Rsyslog Authenticates Off-Loaded Audit Records

RHEL-09-652045: RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_actionsendstreamdrivermode: Ensure Rsyslog Encrypts Off-Loaded Audit Records

RHEL-09-652050: RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_encrypt_offload_defaultnetstreamdriver: Ensure Rsyslog Encrypts Off-Loaded Audit Records

RHEL-09-652055: RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.

Description: None

• medium

Automated: yes

• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

RHEL-09-652060: RHEL 9 must use cron logging.

Description: None

• medium

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

RHEL-09-653010: RHEL 9 audit package must be installed.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed

RHEL-09-653015: RHEL 9 audit service must be enabled.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

RHEL-09-653020: RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action_stig: Configure auditd Disk Error Action on Disk Error
• var_auditd_disk_error_action = halt

RHEL-09-653025: RHEL 9 audit system must take appropriate action when the audit storage volume is full.

Description: None

• medium

Automated: yes

• auditd_data_disk_full_action_stig: Configure auditd Disk Full Action when Disk Space Is Full
• var_auditd_disk_full_action = halt

RHEL-09-653030: RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs

RHEL-09-653035: RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space
• var_auditd_space_left_percentage = 25pc

RHEL-09-653040: RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• var_auditd_space_left_action = email

RHEL-09-653045: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• var_auditd_admin_space_left_percentage = 5pc

RHEL-09-653050: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Description: None

• medium

Automated: yes

• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = single

RHEL-09-653055: RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.

Description: None

• medium

Automated: yes

• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_auditd_max_log_file_action = rotate

RHEL-09-653060: RHEL 9 must label all offloaded audit logs before sending them to the central log server.

Description: None

• medium

Automated: yes

• auditd_name_format: Set type of computer node name logging in audit logs
• var_auditd_name_format = stig

RHEL-09-653065: RHEL 9 must take appropriate action when the internal event queue is full.

Description: None

• medium

Automated: yes

• auditd_overflow_action: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

RHEL-09-653070: RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.

Description: None

• medium

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
• var_auditd_action_mail_acct = root

RHEL-09-653075: RHEL 9 audit system must audit local events.

Description: None

• medium

Automated: yes

• auditd_local_events: Include Local Events in Audit Logs

RHEL-09-653080: RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_group_ownership_var_log_audit: System Audit Directories Must Be Group Owned By Root

RHEL-09-653085: RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.

Description: None

• medium

Automated: yes

• directory_ownership_var_log_audit: System Audit Directories Must Be Owned By Root

RHEL-09-653090: RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.

Description: None

• medium

Automated: yes

• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

RHEL-09-653095: RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.

Description: None

• medium

Automated: yes

• auditd_freq: Set number of records to cause an explicit flush to audit logs
• var_auditd_freq = 100

RHEL-09-653100: RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.

Description: None

• medium

Automated: yes

• auditd_log_format: Resolve information before writing to audit logs

RHEL-09-653105: RHEL 9 must write audit records to disk.

Description: None

• medium

Automated: yes

• auditd_write_logs: Write Audit Logs to the Disk

RHEL-09-653110: RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_rulesd: Verify Permissions on /etc/audit/rules.d/*.rules

RHEL-09-653115: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.

Description: None

• medium

Automated: yes

• file_permissions_etc_audit_auditd: Verify Permissions on /etc/audit/auditd.conf

RHEL-09-653120: RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

Description: None

• low

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

RHEL-09-653125: RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

RHEL-09-653130: RHEL 9 audispd-plugins package must be installed.

Description: None

• medium

Automated: yes

• package_audispd-plugins_installed: Install audispd-plugins Package

RHEL-09-654010: RHEL 9 must audit uses of the "execve" system call.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

RHEL-09-654015: RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat

RHEL-09-654020: RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

RHEL-09-654025: RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

RHEL-09-654030: RHEL 9 must audit all uses of umount system calls.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount

RHEL-09-654035: RHEL 9 must audit all uses of the chacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chacl: Record Any Attempts to Run chacl

RHEL-09-654040: RHEL 9 must audit all uses of the setfacl command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

RHEL-09-654045: RHEL 9 must audit all uses of the chcon command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon

RHEL-09-654050: RHEL 9 must audit all uses of the semanage command.

Description: None

• medium

Automated: yes

• audit_rules_execution_semanage: Record Any Attempts to Run semanage

RHEL-09-654055: RHEL 9 must audit all uses of the setfiles command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles

RHEL-09-654060: RHEL 9 must audit all uses of the setsebool command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

RHEL-09-654065: RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.

Description: None

• medium

Automated: yes

• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

RHEL-09-654070: RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

RHEL-09-654075: RHEL 9 must audit all uses of the delete_module system call.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module

RHEL-09-654080: RHEL 9 must audit all uses of the init_module and finit_module system calls.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module

RHEL-09-654085: RHEL 9 must audit all uses of the chage command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

RHEL-09-654090: RHEL 9 must audit all uses of the chsh command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

RHEL-09-654095: RHEL 9 must audit all uses of the crontab command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

RHEL-09-654100: RHEL 9 must audit all uses of the gpasswd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

RHEL-09-654105: RHEL 9 must audit all uses of the kmod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

RHEL-09-654110: RHEL 9 must audit all uses of the newgrp command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

RHEL-09-654115: RHEL 9 must audit all uses of the pam_timestamp_check command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

RHEL-09-654120: RHEL 9 must audit all uses of the passwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd

RHEL-09-654125: RHEL 9 must audit all uses of the postdrop command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

RHEL-09-654130: RHEL 9 must audit all uses of the postqueue command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

RHEL-09-654135: RHEL 9 must audit all uses of the ssh-agent command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

RHEL-09-654140: RHEL 9 must audit all uses of the ssh-keysign command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

RHEL-09-654145: RHEL 9 must audit all uses of the su command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su

RHEL-09-654150: RHEL 9 must audit all uses of the sudo command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

RHEL-09-654155: RHEL 9 must audit all uses of the sudoedit command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

RHEL-09-654160: RHEL 9 must audit all uses of the unix_chkpwd command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

RHEL-09-654165: RHEL 9 must audit all uses of the unix_update command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

RHEL-09-654170: RHEL 9 must audit all uses of the userhelper command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

RHEL-09-654175: RHEL 9 must audit all uses of the usermod command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

RHEL-09-654180: RHEL 9 must audit all uses of the mount command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount

RHEL-09-654185: Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_init: Ensure auditd Collects Information on the Use of Privileged Commands - init

RHEL-09-654190: Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_poweroff: Ensure auditd Collects Information on the Use of Privileged Commands - poweroff

RHEL-09-654195: Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_reboot: Ensure auditd Collects Information on the Use of Privileged Commands - reboot

RHEL-09-654200: Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_privileged_commands_shutdown: Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

RHEL-09-654205: Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount

RHEL-09-654210: Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2

RHEL-09-654215: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

Description: None

• medium

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers

RHEL-09-654220: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.

Description: None

• medium

Automated: yes

• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

RHEL-09-654225: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group

RHEL-09-654230: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow

RHEL-09-654235: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

RHEL-09-654240: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

RHEL-09-654245: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

RHEL-09-654250: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock

RHEL-09-654255: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

RHEL-09-654260: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.

Description: None

• medium

Automated: yes

• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

RHEL-09-654265: RHEL 9 must take appropriate action when a critical audit processing failure occurs.

Description: None

• medium

Automated: yes

• audit_rules_system_shutdown: Shutdown System When Auditing Failures Occur

RHEL-09-654270: RHEL 9 audit system must protect logon UIDs from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable_login_uids: Configure immutable Audit login UIDs

RHEL-09-654275: RHEL 9 audit system must protect auditing rules from unauthorized change.

Description: None

• medium

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

RHEL-09-671010: RHEL 9 must enable FIPS mode.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• sysctl_crypto_fips_enabled: Set kernel parameter 'crypto.fips_enabled' to 1
• var_system_crypto_policy = fips

RHEL-09-671015: RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.

Description: None

• medium

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512

RHEL-09-671020: RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.

Description: None

• medium

Automated: yes

• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy

RHEL-09-671025: RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth

RHEL-09-672010: RHEL 9 must have the crypto-policies package installed.

Description: None

• medium

Automated: yes

• package_crypto-policies_installed: Install crypto-policies package

RHEL-09-672015: RHEL 9 crypto policy files must match files shipped with the operating system.

Description: None

• high

Automated: no

No rules selected

RHEL-09-672020: RHEL 9 crypto policy must not be overridden.

Description: None

• medium

Automated: no

No rules selected

RHEL-09-672025: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Description: None

• medium

Automated: yes

• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy

RHEL-09-672030: RHEL 9 must implement DOD-approved TLS encryption in the GnuTLS package.

Description: None

• high

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

RHEL-09-672035: RHEL 9 must implement DOD-approved encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy

RHEL-09-672040: RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package.

Description: None

• medium

Automated: yes

• configure_openssl_tls_crypto_policy: Configure OpenSSL library to use TLS Encryption

RHEL-09-672045: RHEL 9 must implement a system-wide encryption policy.

Description: None

• medium

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

RHEL-09-672050: RHEL 9 must implement DOD-approved encryption in the bind package.

Description: None

• medium

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy