INACTIVE=
                  
                
              

To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
      

$ sudo chage -E YYYY-MM-DD USER
              

Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?
      

$ sudo userdel unauthorized_user
            

To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?
      

CREATE_HOME yes

Verify all local interactive users on Oracle Linux 7 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?
      

FAIL_DELAY 
            

Verify Oracle Linux 7 enforces a delay of at least  seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 
      Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out?
      

* hard maxlogins 
            

Verify Oracle Linux 7 limits the number of concurrent sessions to
"" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?
      

PASS_MAX_DAYS 
              

Verify that Oracle Linux 7 enforces a -day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out?
      

PASS_MIN_DAYS 
              

Verify Oracle Linux 7 enforces 24 hours/one day as the minimum password lifetime for new user accounts.

Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:

$ grep -i pass_min_days /etc/login.defs

PASS_MIN_DAYS 
      Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out?
      

Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?
      

Verify that Oracle Linux 7 enforces password complexity by requiring that at least one numeric character be used.

Check the value for "dcredit" with the following command:

$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dcredit = 
      Is it the case that the value of "dcredit" is a positive number or is commented out?
      

Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:

$ sudo grep difok /etc/security/pwquality.conf

difok = 
      Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out?
      

Verify that Oracle Linux 7 enforces password complexity by requiring that at least one lower-case character.

Check the value for "lcredit" with the following command:

$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:lcredit = -1
      Is it the case that the value of "lcredit" is a positive number or is commented out?
      

Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxclassrepeat /etc/security/pwquality.conf

maxclassrepeat = 
      Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out?
      

Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxrepeat /etc/security/pwquality.conf

maxrepeat = 
      Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out?
      

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:

$ grep minclass /etc/security/pwquality.conf

minclass = 
      Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out?
      

Verify that Oracle Linux 7 enforces a minimum -character password length with the following command:

$ grep minlen /etc/security/pwquality.conf

minlen = 
      Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out?
      

Verify that Oracle Linux 7 enforces password complexity by requiring that at least one special character with the following command:

$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ocredit = 
      Is it the case that value of "ocredit" is a positive number or is commented out?
      

Verify Oracle Linux 7 is configured to limit the "pwquality" retry option to .


Check for the use of the "pwquality" retry option in the PAM files with the following command:

$ grep pam_pwquality /etc/pam.d/system-auth


password requisite pam_pwquality.so retry=
      Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing?
      

Verify that Oracle Linux 7 enforces password complexity by requiring that at least one upper-case character.

Check the value for "ucredit" with the following command:

$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ucredit = -1
      Is it the case that the value of "ucredit" is a positive number or is commented out?
      

$ sudo chage -M 
                USER
              

Check whether the maximum time period for existing passwords is restricted to  days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

$ sudo chage -m 1 USER
              

Verify that Oracle Linux 7 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

Verify Oracle Linux 7 is configured to lock an account after 
unsuccessful logon attempts with the command:

$ grep 'deny =' /etc/security/faillock.conf
deny = .
      Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />"
or less (but not "0"), is missing or commented out?
      

Verify Oracle Linux 7 is configured to lock the root account after 
unsuccessful logon attempts with the command:

$ grep even_deny_root /etc/security/faillock.conf
even_deny_root
      Is it the case that the "even_deny_root" option is not set, is missing or commented out?
      

To ensure the failed password attempt policy is configured correctly, run the following command:

$ grep fail_interval /etc/security/faillock.conf
The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is  or greater.
      Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />"
or less (but not "0"), the line is commented out, or the line is missing?
      

Verify Oracle Linux 7 is configured to lock an account until released by an administrator
after  unsuccessful logon
attempts with the command:

$ grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = 
      Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />",
the line is missing, or commented out?
      

typeset -xr TMOUT=
            

declare -xr TMOUT=
            

Run the following command to ensure the TMOUT value is configured for all users
on the system:

$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh

The output should return the following:
TMOUT=
      Is it the case that value of TMOUT is not less than or equal to expected setting?
      

UMASK 
              

Verify Oracle Linux 7 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 
      Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out?
      

Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

# grep -ri umask /home/

/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/smithj/.bash_history:grep -i umask /etc/login.defs
      Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"?
      

/etc/passwd

$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
            

To verify the local initialization files of all local interactive users are group-
owned by the appropriate user, inspect the primary group of the respective
users in /etc/passwd and verify all initialization files under the
respective users home directory. Check the group owner of all local interactive users
initialization files.
      Is it the case that they are not?
      

$ sudo chmod o-w FILE
            

Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?
      

$ sudo chown USER /home/USER/.*

To verify all local initialization files for interactive users are owned by the
primary user, run the following command:
$ sudo ls -al /home/USER/.*
The user initialization files should be owned by USER.
      Is it the case that they are not?
      

Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?
      

$ sudo mkdir /home/USER
            

Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?
      

$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
            

To verify all files and directories in interactive user home directory are
group-owned by a group the user is a member of, run the
following command:
$ sudo ls -lLR /home/USER
      Is it the case that the group ownership is incorrect?
      

$ sudo chown -R USER /home/USER
            

To verify all files and directories in a local interactive user's
home directory have a valid owner, run the following command:
$ sudo ls -lLR /home/USER
      Is it the case that the user ownership is incorrect?
      

$ sudo chmod 0750 /home/USER/FILE_DIR
            

To verify all files and directories contained in interactive user home
directory, excluding local initialization files, have a mode of 0750,
run the following command:
$ sudo ls -lLR /home/USER
      Is it the case that home directory files or folders have incorrect permissions?
      

$ sudo /usr/sbin/aide --init

$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

$ sudo /usr/sbin/aide --check

To find the location of the AIDE database file, run the following command:
$ sudo ls -l DBDIR/database_file_name
      Is it the case that there is no database file?
      

05 4 * * * root /usr/sbin/aide --check

05 4 * * 0 root /usr/sbin/aide --check

Verify the operating system routinely checks the baseline configuration for unauthorized changes.

To determine that periodic AIDE execution has been scheduled, run the following command:
$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check

NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable.
      Is it the case that AIDE is not configured to scan periodically?
      

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

To determine that periodic AIDE execution has been scheduled, run the following command:

$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
The email address that the notifications are sent to can be changed by overriding
.
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?
      

NORMAL = FIPSR+sha512

To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command:
$ grep sha512 /etc/aide.conf
Verify that the sha512 option is added to the correct ruleset.
      Is it the case that the sha512 option is missing or not added to the correct ruleset?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?
      

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chmod system call, run the following command:
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chown system call, run the following command:
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmod system call, run the following command:
$ sudo grep "fchmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchown system call, run the following command:
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchownat system call, run the following command:
$ sudo grep "fchownat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fremovexattr system call, run the following command:
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fsetxattr system call, run the following command:
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lremovexattr system call, run the following command:
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lsetxattr system call, run the following command:
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
removexattr system call, run the following command:
$ sudo grep "removexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "semanage" command with the following command:

$ sudo auditctl -l | grep semanage

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "setfiles" command with the following command:

$ sudo auditctl -l | grep setfiles

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "setsebool" command with the following command:

$ sudo auditctl -l | grep setsebool

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rename system call, run the following command:
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
renameat system call, run the following command:
$ sudo grep "renameat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rmdir system call, run the following command:
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlink system call, run the following command:
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlinkat system call, run the following command:
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S create_module -F key=module-change

To determine if the system is configured to audit calls to the
create_module system call, run the following command:
$ sudo grep "create_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
finit_module system call, run the following command:
$ sudo grep "finit_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-w  -p wa -k logins

-w  -p wa -k logins

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep 

-w  -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /var/log/lastlog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

To determine if the system is configured to audit calls to the
mount system call, run the following command:
$ sudo grep "mount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "mount" command with the following command:

$ sudo auditctl -l | grep mount

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "pam_timestamp_check" command with the following command:

$ sudo auditctl -l | grep pam_timestamp_check

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "postdrop" command with the following command:

$ sudo auditctl -l | grep postdrop

-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "postqueue" command with the following command:

$ sudo auditctl -l | grep postqueue

-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "umount" command with the following command:

$ sudo auditctl -l | grep umount

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Oracle Linux 7 is configured to audit the execution of the "userhelper" command with the following command:

$ sudo auditctl -l | grep userhelper

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper
      Is it the case that the command does not return a line, or the line is commented out?
      

$ sudo grep execve /etc/audit/audit.rules

$ sudo grep -r execve /etc/audit/rules.d

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

Verify Oracle Linux 7 audits the execution of privileged functions.

Check if Oracle Linux 7 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?
      

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

To verify that auditing is configured for system administrator actions, run the following command:
$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d"
      Is it the case that there is not output?
      

-f 
          

-f 
          

To verify that the system will shutdown when auditd fails,
run the following command:
$ sudo grep "\-f " /etc/audit/audit.rules
The output should contain:
-f 
      Is it the case that the system is not configured to shutdown on auditd failures?
      

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the creat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r creat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep creat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the ftruncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r ftruncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep ftruncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the open system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open_by_handle_at /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open_by_handle_at /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the openat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r openat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep openat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/group -p wa -k audit_rules_usergroup_modification

-w /etc/group -p wa -k audit_rules_usergroup_modification

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep -E '(/etc/group)'

-w /etc/group -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep -E '(/etc/gshadow)'

-w /etc/gshadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.
      Is it the case that the system is not configured to audit account changes?
      

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'

-w /etc/security/opasswd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:

$  sudo auditctl -l | grep -E '(/etc/passwd)'

-w /etc/passwd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command:

$  sudo auditctl -l | grep -E '(/etc/shadow)'

-w /etc/shadow -p wa -k identity
      Is it the case that command does not return a line, or the line is commented out?
      

/etc/audisp/audisp-remote.conf

remote_server = 
              
            
          

To verify the audispd plugin off-loads audit records onto a different system or
media from the system being audited, run the following command:
$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf
The output should return something similar to
remote_server = 
      Is it the case that audispd is not sending logs to a remote system?
      

disk_full_action = ACTION
          

Inspect /etc/audisp/audisp-remote.conf and locate the following line to
determine if the system is configured to either send to syslog, switch to single user mode,
or halt when the disk is full:
$ sudo grep -i disk_full_action /etc/audisp/audisp-remote.conf
The output should return something similar to:
disk_full_action = single
Acceptable values also include syslog and halt.
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      

/etc/audisp/audisp-remote.conf

enable_krb5 = yes

To verify the audispd plugin encrypts audit records off-loaded onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
The output should return the following:
enable_krb5 = yes
      Is it the case that audispd is not encrypting audit records when sent over the network?
      

network_failure_action = ACTION
          

Inspect /etc/audisp/audisp-remote.conf and locate the following line to
determine if the system is configured to perform a correct action according to the policy:
$ sudo grep -i network_failure_action /etc/audisp/audisp-remote.conf
The output should return:
network_failure_action = 
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      

$ sudo service auditd restart

To verify if audispd's au-remote plugin is active, run the following command:
$ sudo grep active /etc/audisp/plugins.d/au-remote.conf
If the plugin is active, the output will show yes.
      Is it the case that it is not activated?
      

$ sudo service auditd restart

To verify if audispd's au-remote plugin is configured, run the following command:
$ sudo grep direction /etc/audisp/plugins.d/au-remote.conf
If the plugin is configured correctly, the output will show out.
      Is it the case that it is not configured?
      

$ sudo service auditd restart

To verify if audispd's au-remote plugin is configured, run the following command:
$ sudo grep path /etc/audisp/plugins.d/au-remote.conf
If the plugin is configured correctly, the output will show /sbin/audisp-remote.
      Is it the case that it is not configured?
      

$ sudo service auditd restart

To verify if audispd's au-remote plugin is configured, run the following command:
$ sudo grep type /etc/audisp/plugins.d/au-remote.conf
If the plugin is configured correctly, the output will show always.
      Is it the case that it is not configured?
      

action_mail_acct = 
          

Verify that Oracle Linux 7 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = 
      Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?
      

space_left_action = ACTION
          

• syslog
• email
• exec
• suspend
• single
• halt

Verify Oracle Linux 7 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = 

If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?
      

space_left = PERCENTAGE%

Verify Oracle Linux 7 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left /etc/audit/auditd.conf

space_left = %
      Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value?
      

To verify that Audit Daemon is configured to record the computer node
name in the audit events, run the following command:
$ sudo grep name_format /etc/audit/auditd.conf
The output should return the following:
name_format = 
      Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />?
      

Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audisp/audispd.conf

The output should contain overflow_action = syslog

If the value of the "overflow_action" option is not set to syslog,
single, halt or the line is commented out, ask the System Administrator
to indicate how the audit logs are off-loaded to a different system or media.
      Is it the case that auditd overflow action is not set correctly?
      

Verify "system-auth" and "password-auth" files are symbolic
links pointing to "system-auth-local" and "password-auth-local":
$ sudo ls -l /etc/pam.d/{password,system}-auth
      Is it the case that The system-auth and password-auth files are not symbolic links or they
do not point to system-auth-local password-auth-local?
      

To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?
      

maxpoll 
          

Verify Oracle Linux 7 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf /etc/chrony.d/
server [ntp.server.name] iburst maxpoll .
      Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing?
      

Verify Oracle Linux 7 removes all software components after updated versions have been installed.


$ grep clean_requirements_on_remove /etc/yum.conf
clean_requirements_on_remove=1
      Is it the case that '"clean_requirements_on_remove" is not set to "1"'?
      

firewall-cmd --permanent --add-port=port_number/tcp
              

firewall-cmd --permanent --add-service=service_name
              

Inspect the list of enabled firewall ports and verify they are configured correctly by running
the following command:

$ sudo firewall-cmd --list-all

Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
      Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured?
      

dconf update

/etc/dconf/db/local.d

/etc/dconf/db/local.d

In order to be sure that the databases are up-to-date, run the
dconf update
command as the administrator.
      Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles?
      

[org/gnome/login-screen]
banner-message-enable=true

/org/gnome/login-screen/banner-message-enable

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      

[org/gnome/desktop/media-handling]
automount=false

/org/gnome/desktop/media-handling/automount

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
$ grep 'automount' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
      Is it the case that GNOME automounting is not disabled?
      

[org/gnome/desktop/media-handling]
automount-open=false

/org/gnome/desktop/media-handling/automount-open

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
      Is it the case that GNOME automounting is not disabled?
      

[org/gnome/desktop/media-handling]
autorun-never=true

/org/gnome/desktop/media-handling/autorun-never

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
      Is it the case that GNOME autorun is not disabled?
      

[org/gnome/settings-daemon/plugins/media-keys]
logout=['']

/org/gnome/settings-daemon/plugins/media-keys/logout

To ensure the system is configured to ignore the Ctrl-Alt-Del sequence,
run the following command:
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/settings-daemon/plugins/media-keys/logout
      Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed?
      

[org/gnome/login-screen]
disable-user-list=true

/org/gnome/login-screen/disable-user-list

To ensure the user list is disabled, run the following command:
$ grep disable-user-list /etc/dconf/db/local.d/*
The output should be true.
To ensure that users cannot enable displaying the user list, run the following:
$ grep disable-user-list /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-list
      Is it the case that disable-user-list has not been configured or is not disabled?
      

[org/gnome/login-screen]
enable-smartcard-authentication=true

/org/gnome/login-screen/enable-smartcard-authentication

To ensure smart card authentication on the login screen is enabled, run the following command:
$ grep enable-smartcard-authentication /etc/dconf/db/local.d/*
The output should be true.
To ensure that users cannot disable smart card authentication on the login screen, run the following:
$ grep enable-smartcard-authentication /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication
      Is it the case that enable-smartcard-authentication has not been configured or is disabled?
      

[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'

/org/gnome/login-screen/banner-message-text

To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/local.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-text /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
      Is it the case that it does not?
      

[org/gnome/desktop/screensaver]
idle-activation-enabled=true

/org/gnome/desktop/screensaver/idle-activation-enabled

To check the screensaver mandatory use status, run the following command:
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
      Is it the case that idle-activation-enabled is not enabled or configured?
      

/org/gnome/desktop/screensaver/idle-activation-enabled

/org/gnome/desktop/screensaver/idle-activation-enabled

To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
      Is it the case that idle-activation-enabled is not locked?
      

[org/gnome/desktop/session]
idle-delay=uint32 900

To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
      

[org/gnome/desktop/screensaver]
lock-delay=uint32 
              

To check that the screen locks immediately when activated, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 'uint32 '.
      Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />?
      

[org/gnome/desktop/screensaver]
lock-enabled=true

/org/gnome/desktop/screensaver/lock-enabled

To check the status of the idle screen lock activation, run the following command:

$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
      

/org/gnome/desktop/screensaver/lock-enabled

/org/gnome/desktop/screensaver/lock-enabled

To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not locked?
      

/org/gnome/desktop/screensaver/lock-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
      Is it the case that GNOME3 session settings are not locked or configured properly?
      

/org/gnome/desktop/session/idle-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?
      

The following command will discover and print world-writable directories that are not owned by
a system account, given the assumption that only system accounts have a uid lower than 500.
Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -uid +1000 -print
      Is it the case that there is output?
      

The following command will discover and print world-writable directories that
are not group owned by a system account, given the assumption that only system
accounts have a gid lower than 1000.  Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
      Is it the case that there is output?
      

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
      

HostbasedAuthentication no

To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:

$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

$ sudo grep pam_succeed_if /etc/pam.d/sudo

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?
      

session     required    pam_lastlog.so showfailed

Verify users are provided with feedback on when account accesses last occurred with the following command:

$ sudo grep pam_lastlog /etc/pam.d/postlogin

session required pam_lastlog.so showfailed
      Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file?
      

gpgcheck=1

Verify that yum verifies the signature of packages from a repository prior to install with the following command:

$ grep gpgcheck /etc/yum.conf

gpgcheck=1

If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates that is approved by the organization?
      

Verify that yum verifies the signature of local packages prior to install with the following command:

$ grep localpkg_gpgcheck /etc/yum.conf

localpkg_gpgcheck=1

If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates for local packages that is approved by the organization?
      

$ sudo uln_register

$ sudo rpm --import /media/cdrom/RPM-GPG-KEY-oracle

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

To ensure that the GPG key is installed, run:
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below:
gpg(Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
      Is it the case that the Oracle GPG Key is not installed?
      

$ sudo chgrp root /etc/cron.allow

To check the group ownership of /etc/cron.allow,
run the command:
$ ls -lL /etc/cron.allow
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.allow does not have a group owner of root?
      

$ sudo chgrp USER_GROUP /home/USER
            

To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?
      

$ sudo chown root /etc/cron.allow 

To check the ownership of /etc/cron.allow,
run the command:
$ ls -lL /etc/cron.allow
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.allow does not have an owner of root?
      

$ sudo chown USER /home/USER
            

To verify the home directory ownership, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the user ownership is incorrect?
      

/var/log/audit/

$ sudo chown root /var/log/audit 

$ sudo chown root /var/log/audit/* 

To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit 

To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* 
      Is it the case that ?
      

$ sudo chmod 0740 /home/USER/.INIT_FILE
            

To verify that all user initialization files have a mode of 0740 or
less permissive, run the following command:
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output.
      Is it the case that they are not 0740 or more permissive?
      

$ sudo chmod 0750 /home/USER
            

To verify the assigned home directory of all interactive user home directories
have a mode of 0750 or less permissive, run the following command:
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions.
      Is it the case that they are more permissive?
      

To check the permissions of /etc/ssh/*_key,
run the command:
$ ls -l /etc/ssh/*_key
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/ssh/*_key does not have unix mode -rw-------?
      

$ sudo chmod 0644 /etc/ssh/*.pub

To check the permissions of /etc/ssh/*.pub,
run the command:
$ ls -l /etc/ssh/*.pub
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?
      

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid group:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid group should be located.
      Is it the case that there is output?
      

$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

$ sudo chmod 0600 audit_log_file
          

Run the following command to check the mode of the system audit logs:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file=/var/log/audit/audit.log
$ sudo stat -c "%n %a" /var/log/audit/*
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive.
      Is it the case that any permissions are more permissive?
      

To ensure all GIDs referenced in /etc/passwd are defined in /etc/group,
run the following command:
$ sudo pwck -qr
There should be no output.
      Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group?
      

[daemon]
AutomaticLoginEnable=false

To verify that automatic logins are disabled, run the following command:
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
The output should show the following:
[daemon]
AutomaticLoginEnable=false
      Is it the case that GDM allows users to automatically login?
      

[daemon]
TimedLoginEnable=false

To verify that timed logins are disabled, run the following command:
$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf
The output should show the following:
[daemon]
TimedLoginEnable=false
      Is it the case that GDM allows a guest to login without credentials?
      

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users

grubby --update-kernel=ALL

To verify the boot loader superuser account has been set, run the following
command:
sudo grep -A1 "superusers" /boot/grub2/grub.cfg
The output should show the following:
set superusers="superusers-account"
export superusers
where superusers-account is the actual account name different from common names like root,
admin, or administrator and different from any other existing user name.
      Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name?
      

$ sudo yum install dracut-fips
dracut -f

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"

grub2-mkconfig -o

• On BIOS-based machines, issue the following command as root:

  ~]# grub2-mkconfig -o /boot/grub2/grub.cfg

• On UEFI-based machines, issue the following command as root:

  ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

To verify that FIPS is enabled properly in grub, run the following command:
$ grep fips /etc/default/grub
The output should contain fips=1
      Is it the case that FIPS is not configured or enabled in grub?
      

set root='hd0,msdos1'

To verify the system is not configured to use a boot loader on removable media,
check that the grub configuration file has the set root command in each menu
entry with the following commands:
$ sudo grep -cw menuentry /boot/grub2/grub.cfg
Note that the -c option for the grep command will print
only the count of menuentry occurrences. This number should match
the number of occurrences reported by the following command:
$ sudo grep "set root='hd0" /boot/grub2/grub.cfg
The output should return something similar to:
set root='hd0,msdos1'
usb0, cd, fd0, etc. are some examples of removeable
media which should not exist in the lines:
set root='hd0,msdos1'
      Is it the case that it is not?
      

# grub2-setpassword

First, check whether the password is defined in either /boot/grub2/user.cfg or
/boot/grub2/grub.cfg.
Run the following commands:
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg
$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg


Second, check that a superuser is defined in /boot/grub2/grub.cfg.
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  /boot/grub2/grub.cfg
      Is it the case that it does not produce any output?
      

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users

grubby --update-kernel=ALL

To verify the boot loader superuser account has been set, run the following
command:
sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg
The output should show the following:
set superusers="superusers-account"
export superusers
where superusers-account is the actual account name different from common names like root,
admin, or administrator and different from any other existing user name.
      Is it the case that superuser account is not set or is set to an existing name or to a common name?
      

# grub2-setpassword

To verify the boot loader superuser password has been set, run the following command:
$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg
The output should be similar to:
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
      Is it the case that no password is set?
      

Verify an anti-virus solution is installed on the system. The anti-virus solution may be
bundled with an approved host-based security solution.
      Is it the case that there is no anti-virus solution installed on the system?
      

$ sudo yum install pam_pkcs11

Check that Oracle Linux 7 has the packages for smart card support installed.

Run the following command to determine if the pam_pkcs11 package is installed:
$ rpm -q pam_pkcs11
      Is it the case that smartcard software is not installed?
      

To verify that the installed operating system is supported, run
the following command:

$ grep -i "oracle" /etc/oracle-release

Oracle Linux 7
      Is it the case that the installed operating system is not supported?
      

install dccp /bin/false

blacklist dccp

If the system is configured to prevent the loading of the dccp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

install usb-storage /bin/false

blacklist usb-storage

If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

Verify that Oracle Linux 7 does not have unauthorized IP tunnels configured.


# yum list installed libreswan
libreswan.x86-64 3.20-5.el7_4


If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:

# systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)


If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following:
grep -rni conn /etc/ipsec.conf /etc/ipsec.d/
Verify any returned results for organizational approval.
      Is it the case that the IPSec tunnels are not approved?
      

Verify the nodev option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . nodev . . .

      Is it the case that the "/dev/shm" file system does not have the "nodev" option set?
      

Verify the noexec option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . noexec . . .

      Is it the case that the "/dev/shm" file system does not have the "noexec" option set?
      

Verify the nosuid option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . nosuid . . .

      Is it the case that the "/dev/shm" file system does not have the "nosuid" option set?
      

Verify the nosuid option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . nosuid . . .

      Is it the case that the "/home" file system does not have the "nosuid" option set?
      

To verify the sec option is configured for all NFS mounts, run the following command:
$ mount | grep "sec="
All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses.
This is not applicable if NFS is not implemented.
      Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added?
      

To verify the noexec option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses.  This is not applicable if NFS is
not implemented.
      Is it the case that the setting does not show?
      

To verify the nosuid option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?
      

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?
      

$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns

$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf

search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2

Verify that DNS servers have been configured properly, perform the following:
$ sudo grep nameserver /etc/resolv.conf
      Is it the case that less than two lines are returned that are not commented out?
      

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago

# firewall-cmd --get-default-zone
public

# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: mdns ssh
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:

# ls -al /etc/hosts.allow
rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow

# ls -al /etc/hosts.deny
-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny

To verify there is a system access control program configured
to grant or deny system access to specific hosts check to see
if "firewalld" is active and the default zone is "public".

If "firewalld" is not active, determine whether "tcpwrappers"
is being used by checking whether the "hosts.allow" and "hosts.deny"
files are empty.

If "firewalld" is not active and configured, and the "hosts.allow" and
"hosts.deny" files are empty, this is a finding.
      Is it the case that the system access control program is not configured?
      

$ ip link | grep PROMISC

$ sudo ip link set dev device_name multicast off promisc off

Verify that Promiscuous mode of an interface is disabled, run the following command:
$ ip link | grep PROMISC
      Is it the case that any network device is in promiscuous mode?
      

To verify that null passwords cannot be used, run the following command:

$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth

If this produces any output, it may be possible to log into accounts
with empty passwords. Remove any instances of the nullok option to
prevent logins with empty passwords.
      Is it the case that NULL passwords can be used?
      

$ sudo awk -F: '!$2 {print $1}' /etc/shadow

$ sudo passwd [username]

$ sudo passwd -l [username]

To verify that null passwords cannot be used, run the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
      Is it the case that Blank or NULL passwords can be used?
      

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid user:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid user should be located.
      Is it the case that files exist that are not owned by a valid user?
      

$ sudo rm /[path]/[to]/[file]/shosts.equiv

Verify that there are no shosts.equiv files on the system, run the following command:
$ find / -name shosts.equiv
      Is it the case that shosts.equiv files exist?
      

$ sudo find / -name '.shosts' -type f -delete

To verify that there are no .shosts files
on the system, run the following command:
$ sudo find / -name '.shosts'
      Is it the case that .shosts files exist?
      

$ sudo yum install aide

Run the following command to determine if the aide package is installed: $ rpm -q aide
      Is it the case that the package is not installed?
      

$ sudo yum install firewalld

Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld
      Is it the case that the package is not installed?
      

$ sudo yum install mailx

Run the following command to determine if the mailx package is installed: $ rpm -q mailx
      Is it the case that the package is not installed?
      

$ sudo yum install openssh-server

Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
      Is it the case that the package is not installed?
      

$ sudo yum erase rsh-server

Run the following command to determine if the rsh-server package is installed:
$ rpm -q rsh-server
      Is it the case that the package is installed?
      

$ sudo yum install screen

$ screen

ctrl+a x

Run the following command to determine if the screen package is installed: $ rpm -q screen
      Is it the case that the package is not installed?
      

$ sudo yum erase telnet-server

Run the following command to determine if the telnet-server package is installed:
$ rpm -q telnet-server
      Is it the case that the package is installed?
      

 $ sudo yum erase tftp-server

Run the following command to determine if the tftp-server package is installed:
$ rpm -q tftp-server
      Is it the case that the package is installed?
      

 $ sudo yum erase vsftpd

Run the following command to determine if the vsftpd package is installed:
$ rpm -q vsftpd
      Is it the case that the package is installed?
      

$ sudo yum erase ypserv

Run the following command to determine if the ypserv package is installed:
$ rpm -q ypserv
      Is it the case that the package is installed?
      

Verify that a separate file system/partition has been created for /home with the following command:

$ mountpoint /home

      Is it the case that "/home is not a mountpoint" is returned?
      

Verify that a separate file system/partition has been created for /tmp with the following command:

$ mountpoint /tmp

      Is it the case that "/tmp is not a mountpoint" is returned?
      

Verify that a separate file system/partition has been created for /var with the following command:

$ mountpoint /var

      Is it the case that "/var is not a mountpoint" is returned?
      

Verify that a separate file system/partition has been created for /var/log/audit with the following command:

$ mountpoint /var/log/audit

      Is it the case that "/var/log/audit is not a mountpoint" is returned?
      

password substack system-auth

To verify that PAM implements system-auth when changing passwords
run the following command:
# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
password substack system-auth
      Is it the case that /etc/pam.d/passwd does not implement /etc/pam.d/system-auth?
      

/etc/postfix/main.cf

$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

Verify that Oracle Linux 7 is configured to prevent unrestricted mail relaying,
run the following command:
$ sudo postconf -n smtpd_client_restrictions
      Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"?
      

To check if authentication is required for emergency mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/emergency.service
The output should be similar to the following, and the line must begin with
ExecStart and /sbin/sulogin.
    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"

Then, check if the emergency target requires the emergency service:
Run the following command:
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
The output should be the following:
Requires=emergency.service

Then, check if there is no custom emergency target configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.target /etc/systemd/system/
The output should be empty.

Then, check if there is no custom emergency service configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.service /etc/systemd/system/
The output should be empty.
      Is it the case that the output is different?
      

To check if authentication is required for single-user mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with
ExecStart and /sbin/sulogin.
    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"


Then, verify that the rescue service is in the runlevel1.target.
Run the following command:
$ sudo grep "^Requires=.*rescue\.service" /usr/lib/systemd/system/runlevel1.target
The output should be the following:
Requires=sysinit.target rescue.service

Then, check if there is no custom runlevel1 target configured in systemd configuration.
Run the following command:
$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
There should be no output.

Then, check if there is no custom rescue service configured in systemd configuration.
Run the following command:
$ sudo grep -r "^rescue.service$" /etc/systemd/system
There should be no output.
      Is it the case that the output is different?
      

$ rpm -Va --noconfig | grep '^..5'

$ rpm -qf FILENAME
                

$ sudo yum reinstall PACKAGENAME
                

$ sudo rpm -Uvh PACKAGENAME
                

The following command will list which files on the system have file hashes different from what
is expected by the RPM database.
$ rpm -Va --noconfig | awk '$1 ~ /..5/'
      Is it the case that there is output?
      

rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'

$ rpm -qf FILENAME
                

$ sudo rpm --restore PACKAGENAME
                

The following command will list which files on the system have ownership different from what
is expected by the RPM database:
$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
      Is it the case that there is output?
      

$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'

$ rpm -qf FILENAME
                

$ sudo rpm --restore PACKAGENAME
                

The following command will list which files on the system have permissions different from what
is expected by the RPM database:
$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
      Is it the case that there is output?
      

cron.*                                                  /var/log/cron

cron.* action(type="omfile" file="/var/log/cron")

Verify that cron is logging to rsyslog,
run the following command:
grep -rni "cron\.\*" /etc/rsyslog.*
cron.*                                                  /var/log/cron
or
cron.* action(type="omfile" file="/var/log/cron")
      Is it the case that cron is not logging to rsyslog?
      

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
            

module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

Verify that the system is not accepting "rsyslog" messages from other systems unless it is
documented as a log aggregation server.
Display the contents of the rsyslog configuration files:
find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \;

If any of the below lines are found, ask to see the documentation for the system being used
for log aggregation:

If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

      Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system?
      

*.* @
                
              
            

*.* @@
                
              
            

*.* :omrelp:
                
              
            

To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
 *.* @
If using TCP, a line similar to the following should be present:
 *.* @@
If using RELP, a line similar to the following should be present:
 *.* :omrelp:
      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?
      

$ sudo setsebool -P ssh_sysadm_login off

Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled:
$ getsebool ssh_sysadm_login
If properly configured, the output should show the following:
ssh_sysadm_login --> off
      Is it the case that ssh_sysadm_login is not disabled?
      

$ sudo yum update

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"

$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"

To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
      Is it the case that there is output?
      

$ sudo semanage user -m staff_u -R staff_r -R sysadm_r

$ sudo semanage -m user_u -R user_r

Verify the operating system confines SELinux users to roles that conform to least
privilege. Check the SELinux User list to SELinux Roles mapping by using the
following command:
sudo semanage user -l
The output should look like this:
SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles
guest_u            user  s0  s0  guest_r
root                   user  s0  s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
staff_u              user  s0  s0-s0:c0.c1023  staff_r sysadm_r
sysadm_u         user  s0  s0-s0:c0.c1023  sysadm_r
system_u          user  s0  s0-s0:c0.c1023  system_r unconfined_r
unconfined_u  user  s0  s0-s0:c0.c1023  system_r unconfined_r
user_u               user  s0  s0  user_r
xguest_u           user  s0  s0  xguest_r

      Is it the case that selinux users are not confined to least privilege?
      

sudo visudo -f /etc/sudoers.d/CUSTOM_FILE
          

%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Verify the operating system elevates the SELinux context when an administrator calls the
sudo command with the following command:

This command must be ran as root:
grep sysadm_r /etc/sudoers.d/*
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

      Is it the case that selinux context does not elevate when running sudo command?
      

SELINUXTYPE=
          

Verify the SELINUX on Oracle Linux 7 is using the  policy with the following command:

$ sestatus | grep policy

Loaded policy name:             
      Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"?
      

SELINUX=
          

Ensure that Oracle Linux 7 verifies correct operation of security functions.

Check if "SELinux" is active and in "" mode with the following command:

$ sudo getenforce

      Is it the case that SELINUX is not set to enforcing?
      

$ sudo semanage login -m -s sysadm_u USER
          

$ sudo semanage login -m -s staff_u USER
          

$ sudo semanage login -m -s user_u USER
          

To verify the operating system prevents non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures, run the following
command:
$ sudo semanage login -l
All administrators must be mapped to the sysadm_u or staff_u
users with the appropriate domains (sysadm_t and staff_t).

All authorized non-administrative
users must be mapped to the user_u role or the appropriate domain
(user_t).
      Is it the case that non-admin users are not confined correctly?
      

$ sudo systemctl enable auditd.service

Run the following command to determine the current status of the
auditd service:
$ sudo systemctl is-active auditd
If the service is running, it should return the following: active
      Is it the case that the auditd service is not running?
      

$ sudo systemctl mask --now autofs.service

To check that the autofs service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled autofs
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled autofs disabled

Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active autofs

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the autofs is masked, run the following command:
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "autofs" is loaded and not masked?
      

$ sudo systemctl enable firewalld.service

Run the following command to determine the current status of the
firewalld service:
$ sudo systemctl is-active firewalld
If the service is running, it should return the following: active
      Is it the case that the "firewalld" service is disabled, masked, or not started.?
      

$ sudo systemctl mask --now kdump.service

To check that the kdump service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled kdump
Output should indicate the kdump service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled kdump disabled

Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active kdump

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the kdump is masked, run the following command:
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "kdump" is loaded and not masked?
      

$ sudo systemctl enable sshd.service

Run the following command to determine the current status of the
sshd service:
$ sudo systemctl is-active sshd
If the service is running, it should return the following: active
      Is it the case that sshd service is disabled?
      

crypt_style = 
              

Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.

Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i crypt_style /etc/libuser.conf

crypt_style = 
      Is it the case that crypt_style is not set to sha512?
      

ENCRYPT_METHOD 
              

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.

Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD 
      Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />?
      

password    sufficient    pam_unix.so 
                other arguments...
              

Inspect the password section of /etc/pam.d/password-auth
and ensure that the pam_unix.so module is configured to use the argument
:

$ grep  /etc/pam.d/password-auth
      Is it the case that it does not?
      

password    sufficient    pam_unix.so 
                other arguments...
              

Inspect the password section of /etc/pam.d/system-auth
and ensure that the pam_unix.so module is configured to use the argument
:

$ sudo grep "^password.*pam_unix\.so.*" /etc/pam.d/system-auth

password sufficient pam_unix.so 
      Is it the case that "<sub idref="var_password_hashing_algorithm_pam" />" is missing, or is commented out?
      

• https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/userauth-AuthenticationConfiguration.html#ol7-s4-auth

Interview the SA to determine if all accounts not exempted by policy are
using CAC authentication. For DoD systems, the following systems and
accounts are exempt from using smart card (CAC) authentication:

SIPRNET systems
Standalone systems
Application accounts
Temporary employee accounts, such as students or interns, who cannot
easily receive a CAC or PIV
Operational tactical locations that are not collocated with RAPIDS
workstations to issue CAC or ALT
Test systems, such as those with an Interim Approval to Test (IATT) and
use a separate VPN, firewall, or security measure preventing access to
network and system components from outside the protection boundary
documented in the IATT.

      Is it the case that non-exempt accounts are not using CAC authentication?
      

cert_policy = ca, ocsp_on, signature;

To verify the operating system implements certificate status checking for PKI
authentication, run the following command:
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following:
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
      Is it the case that ocsp_on is not configured?
      

$ sudo systemctl restart snmpd

To ensure the default password is not set, run the following command:
$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private'
There should be no output.
      Is it the case that the default SNMP passwords public and private have not been changed or removed?
      

Protocol 2

To check which SSH protocol version is allowed, check version of openssh-server with following command:

$ rpm -qi openssh-server | grep Version

Versions equal to or higher than 7.4 only allow Protocol 2.
If version is lower than 7.4, run the following command to check configuration:
$ sudo grep Protocol /etc/ssh/sshd_config
If configured properly, output should be Protocol 2
      Is it the case that it is commented out or is not set correctly to Protocol 2?
      

Compression 
            

To check if compression is enabled or set correctly, run the
following command:
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be no or delayed.
      Is it the case that it is commented out, or is not set to no or delayed?
      

PermitEmptyPasswords no

To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

GSSAPIAuthentication no

To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:

$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

KerberosAuthentication no

To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:

$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

IgnoreRhosts yes

To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:

$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

RhostsRSAAuthentication no

To check which SSH protocol version is allowed, check version of
openssh-server with following command:
$ rpm -qi openssh-server | grep Version
Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option.
If version is lower than 7.4, run the following command to check configuration:
To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command:

$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

PermitRootLogin no

To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

IgnoreUserKnownHosts yes

To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

X11Forwarding no

To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

PermitUserEnvironment no

To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

StrictModes yes

To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Banner /etc/issue

To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?