The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise.  Encrypting this data mitigates
the risk of its loss if the system is lost.

Check the system partitions to determine if they are encrypted with the following command:
blkid

Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"

The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?
      

Oracle Linux 9 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.

            
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.


            
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
            
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.

            
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.


            
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Oracle Linux 9 Documentation web site:
            https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options
.

Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.

Verify that a separate file system/partition has been created for /var/log/audit with the following command:

$ mountpoint /var/log/audit

      Is it the case that "/var/log/audit is not a mountpoint" is returned?
      

Audit logs are stored in the /var/log/audit directory.

Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.

Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.

Verify that a separate file system/partition has been created for /home with the following command:

$ mountpoint /home

      Is it the case that "/home is not a mountpoint" is returned?
      

If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.

The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.

Verify that a separate file system/partition has been created for /tmp with the following command:

$ mountpoint /tmp

      Is it the case that "/tmp is not a mountpoint" is returned?
      

The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.

Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.

Verify that a separate file system/partition has been created for /var with the following command:

$ mountpoint /var

      Is it the case that "/var is not a mountpoint" is returned?
      

The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.

Placing /var/log in its own partition
enables better separation between log files
and other files in /var/.

Verify that a separate file system/partition has been created for /var/log with the following command:

$ mountpoint /var/log

      Is it the case that "/var/log is not a mountpoint" is returned?
      

System logs are stored in the /var/log directory.

Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM.

The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.

Verify that a separate file system/partition has been created for /var/tmp with the following command:

$ mountpoint /var/tmp

      Is it the case that "/var/tmp is not a mountpoint" is returned?
      

The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.

An operating system is considered "supported" if the vendor continues to
provide security patches for the product.  With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software.

To verify that the installed operating system is supported, run
the following command:

$ grep -i "oracle" /etc/oracle-release

Oracle Linux 9
      Is it the case that the installed operating system is not supported?
      

The installed operating system must be maintained by a vendor.

Oracle Linux is supported by Oracle Corporation. As the Oracle
Linux vendor, Oracle Corporation is responsible for providing security patches.

Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.

If the system is joined to the ULN
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the ULN and installed using rpm.


            
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.

Services that are not required for system and application processes
must not be active to decrease the attack surface of the system.

Verify that Oracle Linux 9 is configured to boot to the command line:
$ systemctl get-default
multi-user.target
      Is it the case that the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface?
      

Systems that do not require a graphical user interface should only boot by
default into multi-user.target mode. This prevents accidental booting of the system
into a graphical.target mode. Setting the system's default target to
multi-user.target will prevent automatic startup of the graphical environment.
To do so, run:
$ systemctl set-default multi-user.target
You should see the following output:
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
          

This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.

To check if authentication is required for emergency mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/emergency.service
The output should be similar to the following, and the line must begin with
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Then, check if the emergency target requires the emergency service:
Run the following command:
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
The output should be the following:
Requires=emergency.service

Then, check if there is no custom emergency target configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.target /etc/systemd/system/
The output should be empty.

Then, check if there is no custom emergency service configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.service /etc/systemd/system/
The output should be empty.
      Is it the case that the output is different?
      

Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.

            
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service.

This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.

To check if authentication is required for single-user mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

In case the output does not match, check if the ExecStart directive is not overridden:
grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
The output should contain two lines:
ExecStart=
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue



Then, verify that the rescue service is in the runlevel1.target.
Run the following command:
$ sudo grep "^Requires=.*rescue\.service" /usr/lib/systemd/system/runlevel1.target
The output should be the following:
Requires=sysinit.target rescue.service

Then, check if there is no custom runlevel1 target configured in systemd configuration.
Run the following command:
$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
There should be no output.

Then, check if there is no custom rescue service configured in systemd configuration.
Run the following command:
$ sudo grep -r "^rescue.service$" /etc/systemd/system
There should be no output.
      Is it the case that the output is different?
      

Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.

            
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service.

Disabling ATM protects the system against exploitation of any
flaws in its implementation.

If the system is configured to prevent the loading of the atm kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.

To configure the system to prevent the atm
kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/false

To configure the system to prevent the atm from being used,
add the following line to file /etc/modprobe.d/atm.conf:
blacklist atm
          

Disabling CAN protects the system against exploitation of any
flaws in its implementation.

If the system is configured to prevent the loading of the can kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r can /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.

To configure the system to prevent the can
kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/false

To configure the system to prevent the can from being used,
add the following line to file /etc/modprobe.d/can.conf:
blacklist can
          

Disabling FireWire protects the system against exploitation of any
flaws in its implementation.

If the system is configured to prevent the loading of the firewire-core kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.

To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/false

To configure the system to prevent the firewire-core from being used,
add the following line to file /etc/modprobe.d/firewire-core.conf:
blacklist firewire-core
          

Disabling SCTP protects
the system against exploitation of any flaws in its implementation.

If the system is configured to prevent the loading of the sctp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.

To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/false

To configure the system to prevent the sctp from being used,
add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp
          

Disabling TIPC protects
the system against exploitation of any flaws in its implementation.

If the system is configured to prevent the loading of the tipc kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.

To configure the system to prevent the tipc
kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/false

To configure the system to prevent the tipc from being used,
add the following line to file /etc/modprobe.d/tipc.conf:
blacklist tipc
          

Removing support for unneeded filesystem types reduces the local attack surface
of the server.

If the system is configured to prevent the loading of the cramfs kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/false

To configure the system to prevent the cramfs from being used,
add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfs

This effectively prevents usage of this uncommon filesystem.

The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image.

If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.

If the system is configured to prevent the loading of the bluetooth kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
            

USB storage devices such as thumb drives can be used to introduce
malicious software.

If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.

To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false

To configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storage

This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.

Having a non-default grub superuser username makes password-guessing attacks less effective.

To verify the boot loader superuser account has been set, run the following
command:
sudo grep -A1 "superusers" /boot/grub2/grub.cfg
The output should show the following:
set superusers="superusers-account"
export superusers
where superusers-account is the actual account name different from common names like root,
admin, or administrator and different from any other existing user name.
      Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name?
      

The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.

            
To maximize the protection, select a password-protected superuser account with unique name, and modify the
/etc/grub.d/01_users configuration file to reflect the account name change.

            
Do not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.

            
Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superusers=\).*/\1""/g' /etc/grub.d/01_users
The line mentioned above must be followed by the line
export superusers
so that the superusers is honored.

            
Once the superuser account has been added,
update the
grub.cfg file by running:
grubby --update-kernel=ALL
          

Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.

Ensure that Oracle Linux 9 verifies correct operation of security functions.

Check if "SELinux" is active and in "" mode with the following command:

$ sudo getenforce

      Is it the case that SELINUX is not set to enforcing?
      

The SELinux state should be set to 
            
           at
system boot time.  In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=
          
        

Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.

          
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to

            
          .

Verify the SELINUX on Oracle Linux 9 is using the  policy with the following command:

$ sestatus | grep policy

Loaded policy name:             
      Is it the case that the loaded policy name is not ""?
      

The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=
          
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.

Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.

To verify that cryptography policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return .
Run the command to check if the policy is correctly applied:
$ update-crypto-policies --is-applied
The output should be The configured policy is applied.
Moreover, check if settings for selected crypto policy are as expected.
List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends.
$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort
Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory.
$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort
Outputs of two previous commands should match.
      Is it the case that cryptographic policy is not configured or is configured incorrectly?
      

To configure the system cryptography policy to use ciphers only from the 
                
              
policy, run the following command:
$ sudo update-crypto-policies --set 
              
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.

            
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist.

To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?
      

To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.


The DoD required text is either:

            
            You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
            
            
OR:

            
            I've read & consent to terms in IS user agreem't.
          

          nfs-utils provides a daemon for the kernel NFS server and related tools. This
package also contains the showmount program. showmount queries the mount
daemon on a remote host for information about the Network File System (NFS) server on the
remote host. For example, showmount can display the clients which are mounted on
that host.

Run the following command to determine if the nfs-utils package is installed:
$ rpm -q nfs-utils
      Is it the case that the package is installed?
      

The nfs-utils package can be removed with the following command:

$ sudo yum erase nfs-utils
        

The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation.

Run the following command to determine if the rsh-server package is installed:
$ rpm -q rsh-server
      Is it the case that the package is installed?
      

The rsh-server package can be removed with the following command:

$ sudo yum erase rsh-server
          

It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.

The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.

Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation.

Run the following command to determine if the telnet-server package is installed:
$ rpm -q telnet-server
      Is it the case that the package is installed?
      

The telnet-server package can be removed with the following command:

$ sudo yum erase telnet-server
          

            gssproxy is a proxy for GSS API credential handling.
Kerberos relies on some key derivation functions that may not
be compatible with some site policies such as FIPS 140.

Run the following command to determine if the gssproxy package is installed:
$ rpm -q gssproxy
      Is it the case that the package is installed?
      

The gssproxy package can be removed with the following command:

$ sudo yum erase gssproxy
          

            iprutils provides a suite of utlilities to manage and configure SCSI devices
supported by the ipr SCSI storage device driver.

Run the following command to determine if the iprutils package is installed:
$ rpm -q iprutils
      Is it the case that the package is installed?
      

The iprutils package can be removed with the following command:

$ sudo yum erase iprutils
          

            tuned contains a daemon that tunes the system settings dynamically.
It does so by monitoring the usage of several system components periodically. Based
on that information, components will then be put into lower or higher power savings
modes to adapt to the current usage.

Run the following command to determine if the tuned package is installed:
$ rpm -q tuned
      Is it the case that the package is installed?
      

The tuned package can be removed with the following command:

$ sudo yum erase tuned
          

Removing the vsftpd package decreases the risk of its
accidental activation.

Run the following command to determine if the vsftpd package is installed:
$ rpm -q vsftpd
      Is it the case that the package is installed?
      

The vsftpd package can be removed with the following command:  $ sudo yum erase vsftpd
          

Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.

            
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established.

Run the following command to determine if the tftp-server package is installed:
$ rpm -q tftp-server
      Is it the case that the package is installed?
      

The tftp-server package can be removed with the following command:  $ sudo yum erase tftp-server
          

Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.

If there is no need to make the router software available,
removing it provides a safeguard against its activation.

Run the following command to determine if the quagga package is installed:
$ rpm -q quagga
      Is it the case that the package is installed?
      

The quagga package can be removed with the following command:  $ sudo yum erase quagga
          

Unnecessary service packages must not be installed to decrease the attack surface of the system.
X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

To ensure the X Windows package group is removed, run the following command:
$ rpm -qi xorg-x11-server-Xorg
$ rpm -qi xorg-x11-server-common
$ rpm -qi xorg-x11-server-utils
$ rpm -qi xorg-x11-server-Xwayland
For each package mentioned above you should receive following line:
package  is not installed
      Is it the case that xorg related packages are not removed and run level is not correctly configured?
      

By removing the following packages, the system no longer has X Windows installed.
 xorg-x11-server-Xorg
            xorg-x11-server-common
            xorg-x11-server-utils
            xorg-x11-server-Xwayland

If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
          

The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux.  Postfix
should be used instead.

Run the following command to determine if the sendmail package is installed:
$ rpm -q sendmail
      Is it the case that the package is installed?
      

Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:

$ sudo yum erase sendmail
        

Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.

policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and so on.

Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils
      Is it the case that the policycoreutils package is not installed?
      

The policycoreutils package can be installed with the following command:

$ sudo yum install policycoreutils
        

This package is required to operate and manage an SELinux environment and its policies.
It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.

Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils
      Is it the case that the package is not installed?
      

The policycoreutils-python-utils package can be installed with the following command:

$ sudo yum install policycoreutils-python-utils
        

"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.

Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Oracle Linux 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."

Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld
      Is it the case that the package is not installed?
      

The firewalld package can be installed with the following command:

$ sudo yum install firewalld
            

Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.

Run the following command to determine the current status of the
firewalld service:
$ sudo systemctl is-active firewalld
If the service is running, it should return the following: active
      Is it the case that the "firewalld" service is disabled, masked, or not started.?
      

The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
            

In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.

              
Operating systems are capable of providing a wide variety of functions and services.
Some of the functions and services provided by default may not be necessary to support
essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from a single component
(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by
one component.

              
To support the requirements and principles of least functionality, the operating system must
support the organizational requirements, providing only essential capabilities and limiting the
use of ports, protocols, and/or services to only those required, authorized, and approved to
conduct official business.

Inspect the list of enabled firewall ports and verify they are configured correctly by running
the following command:

$ sudo firewall-cmd --list-all

Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
      Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured?
      

Configure the firewalld ports to allow approved services to have access to the system.
To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcp
              
To configure firewalld to allow access for pre-defined services, run the following
command:
firewall-cmd --permanent --add-service=service_name
              
            

In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.

              
Operating systems are capable of providing a wide variety of functions and services.
Some of the functions and services provided by default may not be necessary to support
essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from a single component
(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by
one component.

              
To support the requirements and principles of least functionality, the operating system must
support the organizational requirements, providing only essential capabilities and limiting the
use of ports, protocols, and/or services to only those required, authorized, and approved to
conduct official business.

Inspect the list of enabled firewall ports and verify they are configured correctly by running
the following command:

$ sudo firewall-cmd --list-all

Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
      Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured?
      

Configure the firewalld ports to allow approved services to have access to the system.
To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcp
              
To configure firewalld to allow access for pre-defined services, run the following
command:
firewall-cmd --permanent --add-service=service_name
              
            

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems.
It also permits outbound connections that may facilitate exfiltration of data.

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP
      Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"?
      

Oracle Linux 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones.
Zones can be utilized to a deny-all, allow-by-exception approach.
The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

            sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.

Run the following command to determine if the sudo package is installed: $ rpm -q sudo
      Is it the case that the package is not installed?
      

The sudo package can be installed with the following command:

$ sudo yum install sudo
          

If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
the invoking user for the "root" user password.

Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
If no results are returned, this is a finding.
If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
      Is it the case that invoke user passwd when using sudo?
      

The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
             Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
             /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
          

If the "sudoers" file is not configured correctly, any user defined
on the system can initiate privileged actions on the target system.

Determine if "sudoers" file restricts sudo access run the following commands:
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
      Is it the case that either of the commands returned a line?
      

The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
            ALL ALL=(ALL:ALL) ALL
          

Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.

Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies
      Is it the case that the package is not installed?
      

The crypto-policies package can be installed with the following command:

$ sudo yum install crypto-policies
            

Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.

To verify that cryptography policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return .
Run the command to check if the policy is correctly applied:
$ update-crypto-policies --is-applied
The output should be The configured policy is applied.
Moreover, check if settings for selected crypto policy are as expected.
List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends.
$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort
Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory.
$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort
Outputs of two previous commands should match.
      Is it the case that cryptographic policy is not configured or is configured incorrectly?
      

To configure the system cryptography policy to use ciphers only from the 
                
              
policy, run the following command:
$ sudo update-crypto-policies --set 
              
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Centralized cryptographic policies simplify applying secure ciphers across an operating
system and the applications that run on that operating system. Use of weak or untested
encryption algorithms undermines the purposes of using encryption to protect data.

Validate all files are symlinks to ponting to /usr/share/crypto-policies/FIPS/ except for
nss.config:

$ stat -c%N /etc/crypto-policies/back-ends/*
'/etc/crypto-policies/back-ends/bind.config' -> '/usr/share/crypto-policies/FIPS/bind.txt'
'/etc/crypto-policies/back-ends/gnutls.config' -> '/usr/share/crypto-policies/FIPS/gnutls.txt'
'/etc/crypto-policies/back-ends/java.config' -> '/usr/share/crypto-policies/FIPS/java.txt'
'/etc/crypto-policies/back-ends/javasystem.config' -> '/usr/share/crypto-policies/FIPS/javasystem.txt'
'/etc/crypto-policies/back-ends/krb5.config' -> '/usr/share/crypto-policies/FIPS/krb5.txt'
'/etc/crypto-policies/back-ends/libreswan.config' -> '/usr/share/crypto-policies/FIPS/libreswan.txt'
'/etc/crypto-policies/back-ends/libssh.config' -> '/usr/share/crypto-policies/FIPS/libssh.txt'
'/etc/crypto-policies/back-ends/nss.config'
'/etc/crypto-policies/back-ends/openssh.config' -> '/usr/share/crypto-policies/FIPS/openssh.txt'
'/etc/crypto-policies/back-ends/opensshserver.config' -> '/usr/share/crypto-policies/FIPS/opensshserver.txt'
'/etc/crypto-policies/back-ends/opensslcnf.config' -> '/usr/share/crypto-policies/FIPS/opensslcnf.txt'
'/etc/crypto-policies/back-ends/openssl.config' -> '/usr/share/crypto-policies/FIPS/openssl.txt'
'/etc/crypto-policies/back-ends/openssl_fips.config' -> '/usr/share/crypto-policies/FIPS/openssl_fips.txt'

      Is it the case that Any file shows a different output?
      

All files in /etc/crypto-policies/back-ends/ except for nss.config should be symlinks pointing
to /usr/share/crypto-policies/FIPS/

$ stat -c%N /etc/crypto-policies/back-ends/*
'/etc/crypto-policies/back-ends/bind.config' -> '/usr/share/crypto-policies/FIPS/bind.txt'
'/etc/crypto-policies/back-ends/gnutls.config' -> '/usr/share/crypto-policies/FIPS/gnutls.txt'
'/etc/crypto-policies/back-ends/java.config' -> '/usr/share/crypto-policies/FIPS/java.txt'
'/etc/crypto-policies/back-ends/javasystem.config' -> '/usr/share/crypto-policies/FIPS/javasystem.txt'
'/etc/crypto-policies/back-ends/krb5.config' -> '/usr/share/crypto-policies/FIPS/krb5.txt'
'/etc/crypto-policies/back-ends/libreswan.config' -> '/usr/share/crypto-policies/FIPS/libreswan.txt'
'/etc/crypto-policies/back-ends/libssh.config' -> '/usr/share/crypto-policies/FIPS/libssh.txt'
'/etc/crypto-policies/back-ends/nss.config'
'/etc/crypto-policies/back-ends/openssh.config' -> '/usr/share/crypto-policies/FIPS/openssh.txt'
'/etc/crypto-policies/back-ends/opensshserver.config' -> '/usr/share/crypto-policies/FIPS/opensshserver.txt'
'/etc/crypto-policies/back-ends/opensslcnf.config' -> '/usr/share/crypto-policies/FIPS/opensslcnf.txt'
'/etc/crypto-policies/back-ends/openssl.config' -> '/usr/share/crypto-policies/FIPS/openssl.txt'
'/etc/crypto-policies/back-ends/openssl_fips.config' -> '/usr/share/crypto-policies/FIPS/openssl_fips.txt'

            

The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.

The following command will list which files on the system have file hashes different from what
is expected by the RPM database.
$ rpm -Va --noconfig | awk '$1 ~ /..5/'
      Is it the case that there is output?
      

Without cryptographic integrity protections, system executables and files can be altered by
unauthorized users without detection. The RPM package management system can check the hashes
of installed software packages, including many that are important to system security.

To verify that the cryptographic hash of system files and commands matches vendor values, run
the following command to list which files on the system have hashes that differ from what is
expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'

If the file was not expected to change, investigate the cause of the change using audit logs
or other means. The package can then be reinstalled to restore the file. Run the following
command to determine which package owns the file:
$ rpm -qf FILENAME
                

The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
                

Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
                
              

The crypto-policies package defines the cryptography policies for the system.
If the files are changed from those shipped with the operating system, 
It may be possible for Oracle Linux 9 to use cryptographic functions that are not FIPS 140-3 approved.

Verify that Oracle Linux 9 crypto-policies package has not been modified with the following command:
$ rpm -V crypto-policies
If the command has any output, this is a finding.
      Is it the case that there is output?
      

Without cryptographic integrity protections, system executables and files can be altered by
unauthorized users without detection. The RPM package management system can check the hashes
of installed software packages, including many that are important to system security.

If the file was not expected to change, investigate the cause of the change using audit logs
or other means. The package can then be reinstalled to restore the file. Run the following
command to determine which package owns the file:
$ rpm -qf FILENAME
                

The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall crypto-policies
              

Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.

Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
      Is it the case that the package is not installed?
      

The openssh-server package should be installed.
The openssh-server package can be installed with the following command:

$ sudo yum install openssh-server
        

Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.

          
This checklist item applies to both internal and external networks and all types
of information system components from which information can be transmitted (e.g., servers,
mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths
outside the physical protection of a controlled boundary are exposed to the possibility
of interception and modification.

Run the following command to determine the current status of the
sshd service:
$ sudo systemctl is-active sshd
If the service is running, it should return the following: active
      Is it the case that sshd service is disabled?
      

The SSH server service, sshd, is commonly needed.

The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
        

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

SSHD should follow the system cryptographic policy.
In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
The following line should be present in /etc/ssh/sshd_config or in a file included by this file (a file within the /etc/ssh/sshd_config.d directory):
Include /etc/crypto-policies/back-ends/opensshserver.config
          

Overriding the system crypto policy makes the behavior of the OpenSSH server
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections.

To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oCiphers=
      Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.

To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oCiphers=
              
            

Overriding the system crypto policy makes the behavior of the OpenSSH
server violate expectations, and makes system configuration more
fragmented.

To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oMACS=
      Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.

To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oMACS=
              
            

The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.

To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?
      

To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in


/etc/ssh/sshd_config:

Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner.

This package includes utilities to make encrypted connections and transfer
files securely to SSH servers.

Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients
      Is it the case that the package is not installed?
      

The openssh-clients package can be installed with the following command:

$ sudo yum install openssh-clients
        

Overriding the system crypto policy makes the behavior of the OpenSSH client
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections.

To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
Ciphers 
      Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.

To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
Ciphers 
              
            

Overriding the system crypto policy makes the behavior of the OpenSSH
client violate expectations, and makes system configuration more
fragmented.

To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
MACs 
      Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.

To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
MACs 
              
            

Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.

Check that Oracle Linux 9 has the packages for smart card support installed.

Run the following command to determine if the openssl-pkcs11 package is installed:
$ rpm -q openssl-pkcs11
      Is it the case that smartcard software is not installed?
      

Configure the operating system to implement multifactor authentication by
installing the required package with the following command:

The openssl-pkcs11 package can be installed with the following command:

$ sudo yum install openssl-pkcs11
              

Run the following command to determine if the sssd package is installed: $ rpm -q sssd
      Is it the case that the package is not installed?
      

The sssd package should be installed.
The sssd package can be installed with the following command:

$ sudo yum install sssd
        

Run the following command to determine the current status of the
sssd service:
$ sudo systemctl is-active sssd
If the service is running, it should return the following: active
      Is it the case that the service is not enabled?
      

The SSSD service should be enabled.

The sssd service can be enabled with the following command:
$ sudo systemctl enable sssd.service
        

Emails can be used to notify designated personnel about important
system events such as failures or warnings.

Run the following command to determine if the s-nail package is installed: $ rpm -q s-nail
      Is it the case that the package is not installed?
      

A mail server is required for sending emails.
The s-nail package can be installed with the following command:

$ sudo yum install s-nail
        

The AIDE package must be installed if it is to be available for integrity checking.

Run the following command to determine if the aide package is installed: $ rpm -q aide
      Is it the case that the package is not installed?
      

The aide package can be installed with the following command:

$ sudo yum install aide
              

Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.

                
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.

To determine that periodic AIDE execution has been scheduled, run the following command:

$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
The email address that the notifications are sent to can be changed by overriding
.
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?
      

AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.

File integrity tools use cryptographic hashes for verifying file contents and directories
have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command:
$ grep sha512 /etc/aide.conf
Verify that the sha512 option is added to the correct ruleset.
      Is it the case that the sha512 option is missing or not added to the correct ruleset?
      

By default, the sha512 option is added to the NORMAL ruleset in AIDE.
If using a custom ruleset or the sha512 option is missing, add sha512
to the appropriate ruleset.
For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.

ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.

To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?
      

By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.


The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
              

Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.

To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?
      

By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.


The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
              

Time synchronization is important to support time sensitive security mechanisms like
Kerberos and also ensures log files have consistent time records across the enterprise,
which aids in forensic investigations.

Run the following command to determine if the chrony package is installed: $ rpm -q chrony
      Is it the case that the package is not installed?
      

System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The chrony package can be installed with the following command:

$ sudo yum install chrony
        

If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly.

Run the following command to determine the current status of the
chronyd service:
$ sudo systemctl is-active chronyd
If the service is running, it should return the following: active
      Is it the case that the chronyd process is not running?
      

chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at

    https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
To enable Chronyd service, you can run:
# systemctl enable chronyd.service
This recommendation only applies if chrony is in use on the system.

          usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.

Run the following command to determine if the usbguard package is installed: $ rpm -q usbguard
      Is it the case that the package is not installed?
      

The usbguard package can be installed with the following command:

$ sudo yum install usbguard
        

The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices.

Run the following command to determine the current status of the
usbguard service:
$ sudo systemctl is-active usbguard
If the service is running, it should return the following: active
      Is it the case that the service is not enabled?
      

The USBGuard service should be enabled.

The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service
        

          fapolicyd (File Access Policy Daemon)
implements application whitelisting to decide file access rights.

Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd
      Is it the case that the fapolicyd package is not installed?
      

The fapolicyd package can be installed with the following command:

$ sudo yum install fapolicyd
        

The fapolicyd service (File Access Policy Daemon)
implements application whitelisting to decide file access rights.

Run the following command to determine the current status of the
fapolicyd service:
$ sudo systemctl is-active fapolicyd
If the service is running, it should return the following: active
      Is it the case that the service is not enabled?
      

The File Access Policy service should be enabled.

The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
        

The rsyslog package provides the rsyslog daemon, which provides
system logging services.

Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog
      Is it the case that the package is not installed?
      

Rsyslog is installed by default. The rsyslog package can be installed with the following command:  $ sudo yum install rsyslog
        

The rsyslog service must be running in order to provide
logging services, which are essential to system administration.

Run the following command to determine the current status of the
rsyslog service:
$ sudo systemctl is-active rsyslog
If the service is running, it should return the following: active
      Is it the case that the "rsyslog" service is disabled, masked, or not started.?
      

The rsyslog service provides syslog-style logging by default on Oracle Linux 9.

The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
        

The rsyslog-gnutls package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging.

Run the following command to determine if the rsyslog-gnutls package is installed:
$ rpm -q rsyslog-gnutls
      Is it the case that the package is installed?
      

TLS protocol support for rsyslog is installed.

The rsyslog-gnutls package can be installed with the following command:

$ sudo yum install rsyslog-gnutls
        

            rng-tools provides hardware random number generator tools,
such as those used in the formation of x509/PKI certificates.

Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools
      Is it the case that the package is not installed?
      

The rng-tools package can be installed with the following command:

$ sudo yum install rng-tools
          

Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Install the nss-tools package
to install command-line tools to manipulate the NSS certificate
and key database.

Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools
      Is it the case that the package is not installed?
      

The nss-tools package can be installed with the following command:

$ sudo yum install nss-tools
          

The pcsc-lite package must be installed if it is to be available for
multifactor authentication using smartcards.

Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite
      Is it the case that the package is not installed?
      

The pcsc-lite package can be installed with the following command:

$ sudo yum install pcsc-lite
              

Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.

Run the following command to determine if the opensc package is installed: $ rpm -q opensc
      Is it the case that the package is not installed?
      

The opensc package can be installed with the following command:

$ sudo yum install opensc
              

Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.

Run the following command to determine the current status of the
pcscd service:
$ sudo systemctl is-active pcscd
If the service is running, it should return the following: active
      Is it the case that the pcscd service is not enabled?
      

The pcscd service can be enabled with the following command:
$ sudo systemctl enable pcscd.service
              

Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network.

Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan
      Is it the case that the package is not installed?
      

The libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. The libreswan package can be installed with the following command:

$ sudo yum install libreswan
          

GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.

Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils
      Is it the case that the package is not installed?
      

The gnutls-utils package can be installed with the following command:

$ sudo yum install gnutls-utils
          

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

Run the following command to determine if the audit package is installed: $ rpm -q audit
      Is it the case that the audit package is not installed?
      

The audit package should be installed.

Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.

        
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions.

Run the following command to determine the current status of the
auditd service:
$ sudo systemctl is-active auditd
If the service is running, it should return the following: active
      Is it the case that the auditd service is not running?
      

The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.

The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
      

        audispd-plugins provides plugins for the real-time interface to the
audit subsystem, audispd. These plugins can do things like relay events
to remote machines or analyze events for suspicious behavior.

Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins
      Is it the case that the package is not installed?
      

The audispd-plugins package can be installed with the following command:

$ sudo yum install audispd-plugins
      

Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries.

Verify Oracle Linux 9 removes all software components after updated versions have been installed.


$ grep clean_requirements_on_remove /etc/yum.conf
clean_requirements_on_remove=1
      Is it the case that '"clean_requirements_on_remove" is not set to "1"'?
      

            yum should be configured to remove previous software components after
new versions have been installed. To configure yum to remove the

previous software components after updating, set the clean_requirements_on_remove


to 1 in /etc/yum.conf.

Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.

            
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization.

Verify that yum verifies the signature of local packages prior to install with the following command:

$ grep localpkg_gpgcheck /etc/yum.conf

localpkg_gpgcheck=1

If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates for local packages that is approved by the organization?
      

            yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA).

Verify that yum verifies the signature of packages from a repository prior to install with the following command:

$ grep gpgcheck /etc/yum.conf

gpgcheck=1

If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates that is approved by the organization?
      

The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1
          

Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)."

To determine whether yum has been configured to disable
gpgcheck for any repos,  inspect all files in
/etc/yum.repos.d and ensure the following does not appear in any
sections:
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo.
      Is it the case that GPG checking is disabled?
      

To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
          

Changes to software components can have significant effects on the
overall security of the operating system. This requirement ensures
the software has not been tampered with and that it has been provided
by a trusted vendor. The Oracle GPG key is necessary to
cryptographically verify packages are from Oracle.

To ensure that the GPG key is installed, run:
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below:
gpg(Oracle OSS group (Open Source Software group) 
      Is it the case that the Oracle GPG Key is not installed?
      

To ensure the system can cryptographically verify base software
packages come from Oracle (and to connect to the Unbreakable Linux Network to
receive them), the Oracle GPG key must properly be installed.
To install the Oracle GPG key, run:
$ sudo uln_register
If the system is not connected to the Internet,
then install the Oracle GPG key from trusted media such as
the Oracle installation CD-ROM or DVD. Assuming the disc is mounted
in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY-oracle

Alternatively, the key may be pre-loaded during the Oracle installation. In
such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
          

The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/sudoers" with the following command:

$ sudo auditctl -l | grep /etc/sudoers

-w /etc/sudoers -p wa -k actions
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect administrator actions
for all users and root.




If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/sudoers -p wa -k actions

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/sudoers -p wa -k actions
        

The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/sudoers.d/" with the following command:

$ sudo auditctl -l | grep /etc/sudoers.d/

-w /etc/sudoers.d/ -p wa -k actions
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect administrator actions
for all users and root.




If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/sudoers.d/ -p wa -k actions

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/sudoers.d/ -p wa -k actions
        

In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep /etc/group

-w /etc/group -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?
      

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/group -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/group -p wa -k audit_rules_usergroup_modification
        

In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep /etc/gshadow

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
      Is it the case that the system is not configured to audit account changes?
      

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
        

In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep /etc/security/opasswd

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?
      

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
        

In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/passwd" with the following command:

$ sudo auditctl -l | grep /etc/passwd

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?
      

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
        

In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.

Verify Oracle Linux 9 generates audit records for all events that affect "/etc/shadow" with the following command:

$ sudo auditctl -l | grep /etc/shadow

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
      Is it the case that command does not return a line, or the line is commented out?
      

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
        

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "unix_update" command with the following command:

$ sudo auditctl -l | grep unix_update

-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.

To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
            -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
            -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
            -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
            -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter).

Verify that Oracle Linux 9 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "pam_timestamp_check" command with the following command:

$ sudo auditctl -l | grep pam_timestamp_check

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "postdrop" command with the following command:

$ sudo auditctl -l | grep postdrop

-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "postqueue" command with the following command:

$ sudo auditctl -l | grep postqueue

-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).

Verify that Oracle Linux 9 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysignssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "sudoedit" command with the following command:

$ sudo auditctl -l | grep sudoedit

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "userhelper" command with the following command:

$ sudo auditctl -l | grep userhelper

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "mount" command with the following command:

$ sudo auditctl -l | grep mount

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.

Verify Oracle Linux 9 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
          

The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.

To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
          

The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.

To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "semanage" command with the following command:

$ sudo auditctl -l | grep semanage

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "setfiles" command with the following command:

$ sudo auditctl -l | grep setfiles

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "setsebool" command with the following command:

$ sudo auditctl -l | grep setsebool

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter).

Verify that Oracle Linux 9 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.

To determine if the system is configured to audit calls to the
unlinkat system call, run the following command:
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
          

The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.

To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules


Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.

If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.

The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.

To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules


Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.

If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.

Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).

Verify that Oracle Linux 9 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.

Verify Oracle Linux 9 generates audit records for all events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

The audit system already collects login information for all users
and root.




If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /var/log/lastlog -p wa -k logins

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /var/log/lastlog -p wa -k logins
          

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.

Verify that Oracle Linux 9 is configured to audit the execution of the "umount" command with the following command:

$ sudo auditctl -l | grep umount

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Protecting the integrity of the tools used for auditing purposes is a
critical step toward ensuring the integrity of audit information. Audit
information includes all information (e.g., audit records, audit settings,
and audit reports) needed to successfully audit information system
activity.

Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.

It is not uncommon for attackers to replace the audit tools or inject code
into the existing tools to provide the capability to hide or erase system
activity from the audit logs.

To address this risk, audit tools must be cryptographically signed to
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files.

Check that AIDE is properly configured to protect the integrity of the
audit tools by running the following command:

# sudo cat /etc/aide.conf | grep /usr/sbin/au

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512

/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512


If AIDE is configured properly to protect the integrity of the audit tools,
all lines listed above will be returned from the command.

If one or more lines are missing, this is a finding.
      Is it the case that integrity checks of the audit tools are missing or incomplete?
      

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have
compromised information system accounts, is a serious and ongoing concern
and can have significant adverse impacts on organizations. Auditing the use
of privileged functions is one way to detect such misuse and identify the
risk from insider threats and the advanced persistent threat.

Verify Oracle Linux 9 audits the execution of privileged functions.

Check if Oracle Linux 9 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?
      

Verify the system generates an audit record when privileged functions are executed.

If audit is using the "auditctl" tool to load the rules, run the following command:

$ sudo grep execve /etc/audit/audit.rules

If audit is using the "augenrules" tool to load the rules, run the following command:

$ sudo grep -r execve /etc/audit/rules.d
          -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
          -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
          -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
          -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid


If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.

Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.

Verify Oracle Linux 9 generates audit records for all events that affect "" with the following command:

$ sudo auditctl -l | grep 

-w  -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

The audit system already collects login information for all users
and root.




If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w  -p wa -k logins

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w  -p wa -k logins
          

Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.

Verify Oracle Linux 9 generates audit records for all events that affect "/var/log/tallylog" with the following command:

$ sudo auditctl -l | grep /var/log/tallylog

-w /var/log/tallylog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

The audit system already collects login information for all users
and root.




If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:

-w /var/log/tallylog -p wa -k logins

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:

-w /var/log/tallylog -p wa -k logins
          

Misuse of the init command may cause availability issues for the system.

Verify that Oracle Linux 9 is configured to audit the execution of the "init" command with the following command:

$ sudo auditctl -l | grep init

-a always,exit -F path={{{ path }}}/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of the poweroff command may cause availability issues for the system.

Verify that Oracle Linux 9 is configured to audit the execution of the "poweroff" command with the following command:

$ sudo auditctl -l | grep poweroff

-a always,exit -F path={{{ path }}}/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of the reboot command may cause availability issues for the system.

Verify that Oracle Linux 9 is configured to audit the execution of the "reboot" command with the following command:

$ sudo auditctl -l | grep reboot

-a always,exit -F path={{{ path }}}/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Misuse of the shutdown command may cause availability issues for the system.

Verify that Oracle Linux 9 is configured to audit the execution of the "shutdown" command with the following command:

$ sudo auditctl -l | grep shutdown

-a always,exit -F path={{{ path }}}/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect the execution of privileged
commands for all users and root.

If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          

Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes audit=1,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
The command should not return any output.
      Is it the case that auditing is not enabled at boot time?
      

To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
      

If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish.

To verify that Audit Daemon is configured to record the computer node
name in the audit events, run the following command:
$ sudo grep name_format /etc/audit/auditd.conf
The output should return the following:
name_format = 
      Is it the case that name_format isn't set to ?
      

To configure Audit daemon to use a unique identifier
as computer node name in the audit events,
set name_format to 
            
          
in /etc/audit/auditd.conf.

Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records.

Verify Oracle Linux 9 takes the appropriate action when an audit processing failure occurs.

Check that Oracle Linux 9 takes the appropriate action when an audit processing failure occurs with the following command:

$ sudo grep disk_error_action /etc/audit/auditd.conf

disk_error_action = HALT

If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.
      Is it the case that there is no evidence of appropriate action?
      

The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
          
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.

Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records.

Verify Oracle Linux 9 takes the appropriate action when the audit storage volume is full.

Check that Oracle Linux 9 takes the appropriate action when the audit storage volume is full with the following command:

$ sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = 

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
      Is it the case that there is no evidence of appropriate action?
      

The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
          
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.

Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed.

Verify Oracle Linux 9 takes the appropriate action when the audit files have reached maximum size.

Check that Oracle Linux 9 takes the appropriate action when the audit files have reached maximum size with the following command:

$ sudo grep max_log_file_action /etc/audit/auditd.conf

max_log_file_action = 
      Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action?
      

The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
          
Possible values for ACTION are described in the auditd.conf man
page. These include:

            
              ignore
            
            
              syslog
            
            
              suspend
            
            
              rotate
            
            
              keep_logs
            
          
Set the 
            ACTION
           to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.

If option freq isn't set to 
            
          , the flush to disk
may happen after higher number of records, increasing the danger
of audit loss.

To verify that Audit Daemon is configured to flush to disk after
every  records, run the following command:
$ sudo grep freq /etc/audit/auditd.conf
The output should return the following:
freq = 
      Is it the case that freq isn't set to ?
      

To configure Audit daemon to issue an explicit flush to disk command
after writing  records, set freq to 
            
          
in /etc/audit/auditd.conf.

Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality.

Determine the audit log group by running the following command:

$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf

Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified.
Run the following command:

$ sudo find /var/log/audit -type d -printf "%p %g\n"

All listed directories must be owned by the log_group or by root if the log_group is not specified.
      Is it the case that there is a directory owned by different group?
      

All audit directories must be group owned by root user. By default, the path for audit log is /var/log/audit/.

To properly set the group owner of /var/log/audit, run the command:

  $ sudo chgrp root /var/log/audit
  


If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the group ownership of the audit directories to this specific group.

Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality.

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Determine the owner of the audit log directory by using the output of the above command
(default: "/var/log/audit/"). Run the following command with the correct audit log directory
path:

$ sudo ls -ld /var/log/audit

drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit

The audit log directory must be owned by "root"
      Is it the case that the directory is not owned by root?
      

All audit directories must be owned by root user. By default, the path for audit log is /var/log/audit/.

To properly set the owner of /var/log/audit, run the command:

  $ sudo chown root /var/log/audit 
        

If users can write to audit logs, audit trails can be modified or destroyed.

Run the following command to check the mode of the system audit logs:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file=/var/log/audit/audit.log
$ sudo stat -c "%n %a" /var/log/audit/*
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive.
      Is it the case that any permissions are more permissive?
      

Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct
permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
          
By default, audit_log_file is "/var/log/audit/audit.log".

If option local_events isn't set to yes only events from
network will be aggregated.

To verify that Audit Daemon is configured to include local events, run the
following command:
$ sudo grep local_events /etc/audit/auditd.conf
The output should return the following:
local_events = yes
      Is it the case that local_events isn't set to yes?
      

To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting.

Without the capability to restrict the roles and individuals that can select which events
are audited, unauthorized personnel may be able to prevent the auditing of critical
events. Misconfigured audits may degrade the system's performance by overwhelming
the audit log. Misconfigured audits may also make it more difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

To check the permissions of /etc/audit/rules.d/*.rules,
run the command:
$ ls -l /etc/audit/rules.d/*.rules
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-------?
      

To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
$ sudo chmod 0600 /etc/audit/rules.d/*.rules
        

Without the capability to restrict the roles and individuals that can select which events
are audited, unauthorized personnel may be able to prevent the auditing of critical
events. Misconfigured audits may degrade the system's performance by overwhelming
the audit log. Misconfigured audits may also make it more difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

To check the permissions of /etc/audit/auditd.conf,
run the command:
$ ls -l /etc/audit/auditd.conf
If properly configured, the output should indicate the following permissions:
-rw-r-----
      Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----?
      

To properly set the permissions of /etc/audit/auditd.conf, run the command:
$ sudo chmod 0640 /etc/audit/auditd.conf
        

It is critical for the appropriate personnel to be aware if a system is at risk of failing to
process audit logs as required. Without this notification, the security personnel may be
unaware of an impending failure of the audit capability, and system operation may be adversely
affected.

Audit processing failures include software/hardware errors, failures in the audit capturing
mechanisms, and audit storage capacity being reached or exceeded.

Find the list of alias maps used by the Postfix mail server:
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the postmaster user:
$ sudo postmap -q postmaster hash:/etc/aliases
The output should return root.
      Is it the case that the alias is not set or is not root?
      

Verify the administrators are notified in the event of an audit processing failure.
Check that the "/etc/aliases" file has a defined value for "root".
$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root
          

It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.

          
Audit processing failures include software/hardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or
exceeded.

To verify that the system will shutdown when auditd fails,
run the following command:
$ sudo grep "\-f " /etc/audit/audit.rules
The output should contain:
-f 
      Is it the case that the system is not configured to shutdown on auditd failures?
      

If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules in the directory /etc/audit/rules.d:
-f 
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
bottom of the /etc/audit/audit.rules file:
-f 
          
        

Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.

Verify that Oracle Linux 9 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = 
      Is it the case that the value of the "action_mail_acct" keyword is not set to "" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?
      

The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = 
          
        

audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue.  If the queue is overrun during boot process, the action
defined by audit failure flag is taken.

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes audit_backlog_limit=8192,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
The command should not return any output.
      Is it the case that audit backlog limit is not configured?
      

To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit_backlog_limit=8192 is added as a kernel command line
argument to newly installed kernels, add audit_backlog_limit=8192 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
      

If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them.

To verify that Audit Daemon is configured to resolve all uid, gid, syscall,
architecture, and socket address information before writing the event to disk,
run the following command:
$ sudo grep log_format /etc/audit/auditd.conf
The output should return the following:
log_format = ENRICHED
      Is it the case that log_format isn't set to ENRICHED?
      

To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf.

The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.

Verify that Oracle Linux 9 generates an audit record for all uses of the "umount" and system call.
To determine if the system is configured to audit calls to the
"umount" system call, run the following command:
$ sudo grep "umount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line like the following.
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

At a minimum, the audit system should collect file system umount
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
          

The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.

To determine if the system is configured to audit calls to the
umount2 system call, run the following command:
$ sudo grep "umount2" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

At a minimum, the audit system should collect file system umount2
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
          

Information stored in one location is vulnerable to accidental or incidental
deletion or alteration. Off-loading is a common process in information
systems with limited audit storage capacity.

To verify whether audispd plugin off-loads audit records onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf

The output should return something similar to where REMOTE_SYSTEM
is an IP address or hostname:
remote_server = REMOTE_SYSTEM

Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command and verify whether it is sufficiently large:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
      Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space?
      

The Oracle Linux 9 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.

The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.

In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.


Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
        

The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server.

To verify the audispd's syslog plugin is active, run the following command:
$ sudo grep active /etc/audit/plugins.d/syslog.conf
If the plugin is active, the output will show yes.
      Is it the case that it is not activated?
      

To configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audit/plugins.d/syslog.conf to yes.
Restart the auditd service:
$ sudo service auditd restart
        

The audit system should have an action setup in the event the internal event queue becomes full
so that no data is lost.

Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audit/auditd.conf

The output should contain overflow_action = syslog

If the value of the "overflow_action" option is not set to syslog,
single, halt or the line is commented out, ask the System Administrator
to indicate how the audit logs are off-loaded to a different system or media.
      Is it the case that auditd overflow action is not set correctly?
      

The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action
to one of the following values: syslog, single, halt.

Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.

Verify Oracle Linux 9 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left /etc/audit/auditd.conf

space_left = %
      Is it the case that the value of the "space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value?
      

The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to
notify the user of an issue.

Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.

Verify Oracle Linux 9 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = 

If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?
      

The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
          
Possible values for ACTION are described in the auditd.conf man page.
These include:

            
              syslog
            
            
              email
            
            
              exec
            
            
              suspend
            
            
              single
            
            
              halt
            
          
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt.

Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.

Verify Oracle Linux 9 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w admin_space_left /etc/audit/auditd.conf

admin_space_left = %

If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity.
      Is it the case that the "admin_space_left" value is not configured to the correct value?
      

The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
admin_space_left = PERCENTAGE%
Set this value to 
to cause the system to perform an action.

If write_logs isn't set to yes, the Audit logs will
not be written to the disk.

To verify that Audit Daemon is configured to write logs to the disk, run the
following command:
$ sudo grep write_logs /etc/audit/auditd.conf
The output should return the following:
write_logs = yes
      Is it the case that write_logs isn't set to yes?
      

To configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting.

Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.

Verify that Oracle Linux 9 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep admin_space_left_action /etc/audit/auditd.conf

admin_space_left_action = single

If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?
      

The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
          
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.

Without path validation, an informed trust decision by the relying party cannot be made when
presented with any certificate not already explicitly trusted.

A trust anchor is an authoritative entity represented via a public key and associated data. It
is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.

When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor;
it can be, for example, a Certification Authority (CA). A certification path starts with the
subject certificate and proceeds through a number of intermediate certificates up to a trusted
root certificate, typically issued by a trusted CA.

This requirement verifies that a certification path to an accepted trust anchor is used for
certificate validation and that the path includes status information. Path validation is
necessary for a relying party to make an informed trust decision when presented with any
certificate not already explicitly trusted. Status information for certification paths includes
certificate revocation lists or online certificate status protocol responses.
Validation of the certificate status information is out of scope for this requirement.

Verify Oracle Linux 9 for PKI-based authentication has valid certificates by constructing a
certification path (which includes status information) to an accepted trust anchor.

Check that the system has a valid DoD root CA installed with the following command:

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Validity
Not Before: Mar 20 18:46:41 2012 GMT
Not After : Dec 30 18:46:41 2029 GMT
Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
      Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location?
      

SSSD must have acceptable trust anchor present.

If an unauthorized user obtains access to a private key without a passcode,
that user would have unauthorized access to any system where the associated
public key has been installed.

For each private key stored on the system, use the following command:
$ sudo ssh-keygen -y -f /path/to/file
If the contents of the key are displayed, this is a finding.
      Is it the case that no ssh private key is accessible without a passcode?
      

When creating SSH key pairs, always use a passcode.

You can create such keys with the following command:
$ sudo ssh-keygen -n [passphrase]
Oracle Linux 9, for certificate-based authentication, must enforce authorized access to the corresponding private key.

Without mapping the certificate used to authenticate to the user account, the ability to
determine the identity of the individual user or group will not be available for forensic
analysis.

To verify Certmap is enabled in SSSD, run the following command:
$ sudo cat /etc/sssd/sssd.conf
If configured properly, output should contain section like the following

[certmap/testing.test/rule_name]
matchrule =.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

      Is it the case that Certmap is not configured in SSSD?
      

SSSD should be configured to verify the certificate of the user or group. To set this up
 ensure that section like certmap/testing.test/rule_name is setup in
/etc/sssd/sssd.conf. For example

[certmap/testing.test/rule_name]
matchrule =.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

        

Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

          
Multi-Factor Authentication (MFA) solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.

To verify that smart cards are enabled in SSSD, run the following command:
$ sudo grep pam_cert_auth /etc/sssd/sssd.conf
If configured properly, output should be
pam_cert_auth = True


To verify that smart cards are enabled in PAM files, run the following command:
$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth
If configured properly, output should be

/etc/pam.d/smartcard-auth:auth        sufficient                                   pam_sss.so allow_missing_name
/etc/pam.d/system-auth:auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

      Is it the case that smart cards are not enabled in SSSD?
      

SSSD should be configured to authenticate access to the system using smart cards.
To enable smart cards in SSSD, set pam_cert_auth to True under the
[pam] section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = True


Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include
"try_cert_auth" or "require_cert_auth" option, like in the following example:

/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to
include the "allow_missing_name" option, like in the following example:
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
        

Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
ensures the security of the system.

Check to see if Online Certificate Status Protocol (OCSP)
is enabled and using the proper digest value on the system with the following command:
$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"
If configured properly, output should look like

    certificate_verification = ocsp_dgst=

      Is it the case that certificate_verification in sssd is not configured?
      

Multifactor solutions that require devices separate from information systems gaining access include,
for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
Configuring certificate_verification to ocsp_dgst=
           ensures that certificates for
multifactor solutions are checked via Online Certificate Status Protocol (OCSP).

If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.

Check if SSSD allows cached authentications with the following command:

$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true

If "cache_credentials" is set to "false" or is missing no further checks are required.

To verify that SSSD expires offline credentials, run the following command:
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
If configured properly, output should be
offline_credentials_expiration = 1
      Is it the case that it does not exist or is not configured properly?
      

SSSD should be configured to expire offline credentials after 1 day.

Check if SSSD allows cached authentications with the following command:

$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true

If "cache_credentials" is set to "false" or is missing no further checks are required.

To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1

        

Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
Configuring the smart card driver in use by your organization helps to prevent
users from using unauthorized smart cards.

Verify that Oracle Linux 9 loads the  driver with the following command:

$ grep card_drivers /etc/opensc.conf

card_drivers = ;
      Is it the case that "" is not listed as a card driver, or there is no line returned for "card_drivers"?
      

The OpenSC smart card tool can auto-detect smart card drivers; however,
setting the smart card drivers in use by your organization helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
profile is 
                  
                .
To configure the OpenSC driver, edit the /etc/opensc.conf
and add the following line into the file in the app default block,
so it will look like:


app default {
   ...
   card_drivers = ;
}

              

Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks.

To check if pam_pwquality.so is enabled in system-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/system-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in system-auth?
      

To enable PAM password complexity in system-auth file:
Edit the password section in
/etc/pam.d/system-auth to show
password    requisite                                    pam_pwquality.so.

Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.

Verify Oracle Linux 9 is configured to limit the "pwquality" retry option to .


Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
$ grep retry /etc/security/pwquality.conf
      Is it the case that the value of "retry" is set to "0" or greater than "", or is missing?
      

To configure the number of retry prompts that are permitted per-session:

Edit the /etc/security/pwquality.conf to include

retry=
                , or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session.

Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.

                
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.

Verify that Oracle Linux 9 enforces password complexity by requiring that at least one upper-case character.

Check the value for "ucredit" with the following command:

$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ucredit = -1
      Is it the case that the value of "ucredit" is a positive number or is commented out?
      

The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks.

To check if pam_pwquality.so is enabled in password-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/password-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in password-auth?
      

To enable PAM password complexity in password-auth file:
Edit the password section in
/etc/pam.d/password-auth to show
password    requisite                                    pam_pwquality.so.

Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.

Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.

Verify that Oracle Linux 9 enforces password complexity by requiring that at least one lower-case character.

Check the value for "lcredit" with the following command:

$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:lcredit = -1
      Is it the case that the value of "lcredit" is a positive number or is commented out?
      

The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.

                
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.

Verify that Oracle Linux 9 enforces password complexity by requiring that at least one numeric character be used.

Check the value for "dcredit" with the following command:

$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dcredit = 
      Is it the case that the value of "dcredit" is a positive number or is commented out?
      

The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords.

Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.

                
Password complexity is one factor of several that determines how long
it takes to crack a password. The more complex the password, the
greater the number of possible combinations that need to be tested
before the password is compromised.

                
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.

Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:

$ sudo grep difok /etc/security/pwquality.conf

difok = 
      Is it the case that the value of "difok" is set to less than "", or is commented out?
      

The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.

                
Modify the difok setting in /etc/security/pwquality.conf
to equal  to require differing characters
when changing passwords.

Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised.

Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxclassrepeat /etc/security/pwquality.conf

maxclassrepeat = 
      Is it the case that the value of "maxclassrepeat" is set to "0", more than "" or is commented out?
      

The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal 
to prevent a run of ( + 1) or more identical characters.

Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.

                
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.

                
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxrepeat /etc/security/pwquality.conf

maxrepeat = 
      Is it the case that the value of "maxrepeat" is set to more than "" or is commented out?
      

The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal  to prevent a
run of ( + 1) or more identical characters.

Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.

                
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.

                
Requiring a minimum number of character categories makes password guessing attacks more difficult
by ensuring a larger search space.

Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:

$ grep minclass /etc/security/pwquality.conf

minclass = 
      Is it the case that the value of "minclass" is set to less than "" or is commented out?
      

The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Modify the minclass setting in /etc/security/pwquality.conf entry
to require 
differing categories of characters when changing passwords.

Use of a complex password helps to increase the time and resources required to compromise
the password. Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a
password. The more complex the password, the greater the number of possible combinations
that need to be tested before the password is compromised.

Verify that Oracle Linux 9 enforces password complexity rules for the root account.

Check if root user is required to use complex passwords with the following command:

$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:enforce_for_root
      Is it the case that "enforce_for_root" is commented or missing?
      

The pam_pwquality module's enforce_for_root parameter controls requirements for
enforcing password complexity for the root user. Enable the enforce_for_root
setting in /etc/security/pwquality.conf to require the root user
to use complex passwords.

Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.

              
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult.

Verify that the libuser is set to encrypt password with a FIPS 140-3 approved cryptographic hashing algorithm.


Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i crypt_style /etc/libuser.conf

crypt_style = 
      Is it the case that crypt_style is not set to sha512?
      

In /etc/libuser.conf, add or correct the following line in its [defaults]
section to ensure the system will use the 
algorithm for password hashing:
crypt_style = 
              
            

Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.

              
Using a stronger hashing algorithm makes password cracking attacks more difficult.

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-3 approved cryptographic hashing algorithm.


Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD 
      Is it the case that ENCRYPT_METHOD is not set to ?
      

In /etc/login.defs, add or update the following line to ensure the system will use
 as the hashing algorithm:
ENCRYPT_METHOD 
              
            

Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.

              
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult.

Inspect the password section of /etc/pam.d/password-auth
and ensure that the pam_unix.so module is configured to use the argument
:

$ grep  /etc/pam.d/password-auth
      Is it the case that it does not?
      

The PAM system service can be configured to only store encrypted representations of passwords.
In /etc/pam.d/password-auth, the password section of the file controls which
PAM modules to execute during a password change.

Set the pam_unix.so module in the password section to include the option

                
               and no other hashing
algorithms as shown below:

              password    sufficient    pam_unix.so 
                other arguments...
              
              
This will help ensure that new passwords for local users will be stored using the
 algorithm.

Using a higher number of rounds makes password cracking attacks more difficult.

To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds /etc/pam.d/password-auth
The output should show the following match:

password sufficient pam_unix.so sha512 rounds=
      Is it the case that rounds is not set to  or is commented out?
      

Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.

              
In file /etc/pam.d/password-auth append rounds=
              
to the pam_unix.so entry, as shown below:

password sufficient pam_unix.so ...existing_options... rounds=
              

The system's default number of rounds is 5000.

Using a higher number of rounds makes password cracking attacks more difficult.

To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds /etc/pam.d/system-auth
The output should show the following match:
password sufficient pam_unix.so sha512 rounds=
      Is it the case that rounds is not set to  or is commented out?
      

Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.

              
In file /etc/pam.d/system-auth append rounds=
              
to the pam_unix.so entry, as shown below:
password sufficient pam_unix.so ...existing_options... rounds=
              
The system's default number of rounds is 5000.

Passwords need to be protected at all times, and hashing is the standard
method for protecting passwords. If passwords are not hashed, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are hashed with a weak algorithm are no more protected than if
they are kept in plain text.

              
Using more hashing rounds makes password cracking attacks more difficult.

Inspect /etc/login.defs and ensure that if either
SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
are set, they must have the minimum value of .
      Is it the case that it does not?
      

In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 
                
              .
For example:
SHA_CRYPT_MIN_ROUNDS 
SHA_CRYPT_MAX_ROUNDS 
              
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of .

Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised.

Verify that the interactive user account passwords are using a strong
password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
      Is it the case that any interactive user password hash does not begin with "$6"?
      

Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding.

Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse.

Verify that Oracle Linux 9 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
              
            

Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse.

Verify that Oracle Linux 9 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
              
            

Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.

              
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.

Verify that Oracle Linux 9 enforces a -day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "", or commented out?
      

To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 
              
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 
                
              .

Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised.

Check whether the maximum time period for existing passwords is restricted to  days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

Configure non-compliant accounts to enforce a -day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 
                USER
              
            

The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.

Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromise the password.

Verify that Oracle Linux 9 enforces a minimum -character password length with the following command:

$ grep minlen /etc/security/pwquality.conf

minlen = 
      Is it the case that the command does not return a "minlen" value of "" or greater, does not return a line, or the line is commented out?
      

The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
                
after pam_pwquality to set minimum password length requirements.

If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.

To verify that null passwords cannot be used, run the following command:

$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth

If this produces any output, it may be possible to log into accounts
with empty passwords. Remove any instances of the nullok option to
prevent logins with empty passwords.
      Is it the case that NULL passwords can be used?
      

If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in

/etc/pam.d/system-auth and
/etc/pam.d/password-auth

to prevent logins with empty passwords.

Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.

First, check whether the password is defined in either /boot/grub2/user.cfg or
/boot/grub2/grub.cfg.
Run the following commands:
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg
$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg


Second, check that a superuser is defined in /boot/grub2/grub.cfg.
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  /boot/grub2/grub.cfg
      Is it the case that it does not produce any output?
      

The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.

            
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:

# grub2-setpassword

When prompted, enter the password that was selected.

            
          

Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.

                
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.

Verify that Oracle Linux 9 enforces password complexity by requiring that at least one special character with the following command:

$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ocredit = 
      Is it the case that value of "ocredit" is a positive number or is commented out?
      

The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal 
to require use of a special character in passwords.

Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.

                
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.

                
Passwords with dictionary words may be more vulnerable to password-guessing attacks.

Verify Oracle Linux 9 prevents the use of dictionary words for passwords with the following command:

$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dictcheck=1
      Is it the case that "dictcheck" does not have a value other than "0", or is commented out?
      

The pam_pwquality module's dictcheck check if passwords contains dictionary words. When
dictcheck is set to 1 passwords will be checked for dictionary words.

If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.

To verify that null passwords cannot be used, run the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
      Is it the case that Blank or NULL passwords can be used?
      

Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
            

Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.

            
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity.

To check that the autofs service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled autofs
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled autofs disabled

Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active autofs

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the autofs is masked, run the following command:
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "autofs" is loaded and not masked?
      

The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.

            

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
          

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request.

To verify the sec option is configured for all NFS mounts, run the following command:
$ mount | grep "sec="
All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses.
This is not applicable if NFS is not implemented.
      Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added?
      

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.

Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.

To verify the nodev option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nodev setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?
      

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.

The noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access.

To verify the noexec option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses.  This is not applicable if NFS is
not implemented.
      Is it the case that the setting does not show?
      

Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.

To verify the nosuid option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?
      

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.

Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.

To verify that binaries cannot be directly executed from removable media, run the following command:
$ grep -v noexec /etc/fstab
The resulting output will show partitions which do not have the noexec flag. Verify all partitions
in the output are not removable media.
      Is it the case that removable media partitions are present?
      

The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of

    any removable media partitions.

The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems.

Verify file systems that are used for removable media are mounted with the "nodev" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set?
      

The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of

    any removable media partitions.

The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?
      

The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of

    any removable media partitions.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /boot mount point,
    run the following command:
    $ sudo mount | grep '\s/boot\s'
    . . . /boot . . . nodev . . .

      Is it the case that the "/boot" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /boot.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions.

Verify the nosuid option is configured for the /boot mount point,
    run the following command:
    $ sudo mount | grep '\s/boot\s'
    . . . /boot . . . nosuid . . .

      Is it the case that the "/boot" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions.

Verify the nosuid option is configured for the /boot/efi mount point,
    run the following command:
    $ sudo mount | grep '\s/boot/efi\s'
    . . . /boot/efi . . . nosuid . . .

      Is it the case that the "/boot/efi" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /boot/efi. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot/efi.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . nodev . . .

      Is it the case that the "/dev/shm" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.

Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise.

Verify the noexec option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . noexec . . .

      Is it the case that the "/dev/shm" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.

Verify the nosuid option is configured for the /dev/shm mount point,
    run the following command:
    $ sudo mount | grep '\s/dev/shm\s'
    . . . /dev/shm . . . nosuid . . .

      Is it the case that the "/dev/shm" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm.  The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/tmp\s'
    . . . /tmp . . . nodev . . .

      Is it the case that the "/tmp" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.

Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise.

Verify the noexec option is configured for the /tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/tmp\s'
    . . . /tmp . . . noexec . . .

      Is it the case that the "/tmp" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.

Verify the nosuid option is configured for the /tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/tmp\s'
    . . . /tmp . . . nosuid . . .

      Is it the case that the "/tmp" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /var mount point,
    run the following command:
    $ sudo mount | grep '\s/var\s'
    . . . /var . . . nodev . . .

      Is it the case that the "/var" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /var.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /var/log mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log\s'
    . . . /var/log . . . nodev . . .

      Is it the case that the "/var/log" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.

Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise.

Verify the noexec option is configured for the /var/log mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log\s'
    . . . /var/log . . . noexec . . .

      Is it the case that the "/var/log" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files.

Verify the nosuid option is configured for the /var/log mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log\s'
    . . . /var/log . . . nosuid . . .

      Is it the case that the "/var/log" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /var/log/audit mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log/audit\s'
    . . . /var/log/audit . . . nodev . . .

      Is it the case that the "/var/log/audit" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.

Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise.

Verify the noexec option is configured for the /var/log/audit mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log/audit\s'
    . . . /var/log/audit . . . noexec . . .

      Is it the case that the "/var/log/audit" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files.

Verify the nosuid option is configured for the /var/log/audit mount point,
    run the following command:
    $ sudo mount | grep '\s/var/log/audit\s'
    . . . /var/log/audit . . . nosuid . . .

      Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /var/tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/var/tmp\s'
    . . . /var/tmp . . . nodev . . .

      Is it the case that the "/var/tmp" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.

Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise.

Verify the noexec option is configured for the /var/tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/var/tmp\s'
    . . . /var/tmp . . . noexec . . .

      Is it the case that the "/var/tmp" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.

Verify the nosuid option is configured for the /var/tmp mount point,
    run the following command:
    $ sudo mount | grep '\s/var/tmp\s'
    . . . /var/tmp . . . nosuid . . .

      Is it the case that the "/var/tmp" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.

The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.

Verify the nodev option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . nodev . . .

      Is it the case that the "/home" file system does not have the "nodev" option set?
      

The nodev mount option can be used to prevent device files from
being created in /home.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.

The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions.

Verify the nosuid option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . nosuid . . .

      Is it the case that the "/home" file system does not have the "nosuid" option set?
      

The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.

The /home directory contains data of individual users. Binaries in
this directory should not be considered as trusted and users should not be
able to execute them.

Verify the noexec option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . noexec . . .

      Is it the case that the "/home" file system does not have the "noexec" option set?
      

The noexec mount option can be used to prevent binaries from being
executed out of /home.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.

The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems.

To verify the nodev option is configured for non-root local partitions, run the following command:
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
The output shows local non-root partitions mounted without the nodev option, and there should be no output at all.

      Is it the case that some mounts appear among output lines?
      

The nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of

    any non-root local partitions.

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
      Is it the case that GNOME automounting is not disabled?
      

The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mount running in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
      Is it the case that GNOME autorun is not disabled?
      

The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.

Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.

To ensure the user list is disabled, run the following command:
$ grep disable-user-list /etc/dconf/db/local.d/*
The output should be true.
To ensure that users cannot enable displaying the user list, run the following:
$ grep disable-user-list /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-list
      Is it the case that disable-user-list has not been configured or is not disabled?
      

In the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting disable-user-list
to true.

              
To disable, add or edit disable-user-list to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.

To check that the screen locks immediately when activated, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 'uint32 '.
      Is it the case that the screensaver lock delay is missing, or is set to a value greater than ?
      

To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 
               in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 
              
After the settings have been set, run dconf update.

A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock.

To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is set to 0 or a value greater than ?
      

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

              
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
            

Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.

To ensure the screensaver is configured to be blank, run the following command:
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''.

To ensure that users cannot set the screensaver background, run the following:
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
      Is it the case that it is not set or configured properly?
      

To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''

Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.

A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.

To ensure the system is configured to ignore the Ctrl-Alt-Del sequence,
run the following command:
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/settings-daemon/plugins/media-keys/logout
      Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed?
      

By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.

              
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to [''] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=['']
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
      Is it the case that GNOME automounting is not disabled?
      

The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mount running in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
      Is it the case that GNOME autorun is not disabled?
      

The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.

Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.

              
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      

In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.

              
To enable, add or edit banner-message-enable to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set.

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.

To check the status of the idle screen lock activation, run the following command:

$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
      

To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true

Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings.

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?
      

If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings.

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
      Is it the case that GNOME3 session settings are not locked or configured properly?
      

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.

Locking the screen automatically when removing the smartcard can
prevent undesired access to system.

To ensure screen locking on smartcard removal is enabled, run the following command:
$ grep removal-action /etc/dconf/db/local.d/*
The output should be 'lock-screen'.
To ensure that users cannot disable screen locking on smartcard removal, run the following:
$ grep removal-action /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action
      Is it the case that removal-action has not been configured?
      

In the default graphical environment, screen locking on smartcard removal
can be enabled by setting removal-action
to 'lock-screen'.

              
To enable, add or edit removal-action to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.

A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot.

To ensure disable and restart on the login screen are disabled, run the following command:
$ grep disable-restart-buttons /etc/dconf/db/local.d/*
The output should be true.
To ensure that users cannot enable disable and restart on the login screen, run the following:
$ grep disable-restart-buttons /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons
      Is it the case that disable-restart-buttons has not been configured or is not disabled?
      

In the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons to true.

              
To disable, add or edit disable-restart-buttons to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.

A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot.

To ensure disable and restart on the login screen are disabled, run the following command:
$ grep disable-restart-buttons /etc/dconf/db/local.d/*
The output should be true.
To ensure that users cannot enable disable and restart on the login screen, run the following:
$ grep disable-restart-buttons /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons
      Is it the case that disable-restart-buttons has not been configured or is not disabled?
      

In the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons to true.

              
To disable, add or edit disable-restart-buttons to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.

A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.

To ensure the system is configured to ignore the Ctrl-Alt-Del sequence,
run the following command:
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/settings-daemon/plugins/media-keys/logout
      Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed?
      

By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.

              
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to [''] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=['']
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.

Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.

              
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      

In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.

              
To enable, add or edit banner-message-enable to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set.

An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.

To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/local.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-text /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
      Is it the case that it does not?
      

In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.

              
To enable, add or edit banner-message-text to

/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text

After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines.

Locking the screen automatically when removing the smartcard can
prevent undesired access to system.

To ensure screen locking on smartcard removal is enabled, run the following command:
$ grep removal-action /etc/dconf/db/local.d/*
The output should be 'lock-screen'.
To ensure that users cannot disable screen locking on smartcard removal, run the following:
$ grep removal-action /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action
      Is it the case that removal-action has not been configured?
      

In the default graphical environment, screen locking on smartcard removal
can be enabled by setting removal-action
to 'lock-screen'.

              
To enable, add or edit removal-action to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.

Failure to restrict system access to authenticated users negatively impacts operating
system security.

To verify that automatic logins are disabled, run the following command:
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
The output should show the following:
[daemon]
AutomaticLoginEnable=false
      Is it the case that GDM allows users to automatically login?
      

The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false
            

Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them.

In order to be sure that the databases are up-to-date, run the
dconf update
command as the administrator.
      Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles?
      

By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf update command. More specifically, content present
in the following directories:
/etc/dconf/db/local.d
            /etc/dconf/db/local.d
          

The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.

Verify the umask setting is configured correctly in the /etc/bashrc file with the following command:

$ sudo grep "umask" /etc/bashrc

umask 
      Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out?
      

To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 
              
            

The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command:

$ grep umask /etc/csh.cshrc

umask 077
umask 077
      Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out?
      

To ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 
              
            

The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.

Verify the umask setting is configured correctly in the /etc/profile file
or scripts within /etc/profile.d directory with the following command:
$ grep "umask" /etc/profile*
umask 
      Is it the case that the value for the "umask" parameter is not "",
or the "umask" parameter is missing or is commented out?
      

To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 
              

Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary.

The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.

Verify Oracle Linux 9 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 
      Is it the case that the value for the "UMASK" parameter is not "", or the "UMASK" parameter is missing or is commented out?
      

To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
              
            

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Verify Oracle Linux 9 disables the chrony daemon from acting as a server with the following command:
$ grep -w port /etc/chrony.conf
port 0
      Is it the case that the "port" option is not set to "0", is commented out, or is missing?
      

The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode.

Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface.

Verify Oracle Linux 9 disables network management of the chrony daemon with the following command:
$ grep -w cmdport /etc/chrony.conf
cmdport 0
      Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing?
      

The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc.

Depending on the infrastructure being used the pool directive may not be supported.
Using the server directive allows for better control of where the system gets time data from.

Run the following command and verify that time sources are only configured with server directive:
# grep -E "^(server|pool)" /etc/chrony.conf
A line with the appropriate server should be returned, any line returned starting with pool is a finding.
      Is it the case that an authoritative remote time server is not configured or configured with pool directive?
      

Check that Chrony only has time sources configured with the server directive.

Using the Linux Audit logging allows for centralized trace
of events.

To verify that Linux Audit logging is enabled for the USBGuard daemon,
run the following command:
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
The output should be
AuditBackend=LinuxAudit
      Is it the case that AuditBackend is not set to LinuxAudit?
      

To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit.

The usbguard must be configured to allow connected USB devices to work
properly, avoiding the system to become inaccessible.

Verify the USBGuard has a policy configured with the following command:

$ usbguard list-rules

allow id 1d6b:0001 serial

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.
      Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection?
      

By default USBGuard when enabled prevents access to all USB devices and this lead
to inaccessible system if they use USB mouse/keyboard. To prevent this scenario,
the initial policy configuration must be generated based on current connected USB
devices.

USB storage devices such as thumb drives can be used to introduce
malicious software.

If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.

To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false

To configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storage

This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.

SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field.

To determine how the SSH daemon's LogLevel option is set, run the following command:

$ sudo grep -i LogLevel /etc/ssh/sshd_config

If a line indicating VERBOSE is returned, then the required value is set.

      Is it the case that the required value is not set?
      

The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in


/etc/ssh/sshd_config:

LogLevel VERBOSE
          

GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system.

To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:

$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.

The default SSH configuration disallows authentications based on GSSAPI. The appropriate
configuration is used if no value is set for GSSAPIAuthentication.

To explicitly disable GSSAPI authentication, add or correct the following line in


/etc/ssh/sshd_config:

GSSAPIAuthentication no
          

By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited.

To check if RekeyLimit is set correctly, run the
following command:

$ sudo grep RekeyLimit /etc/ssh/sshd_config

If configured properly, output should be
RekeyLimit  
      Is it the case that it is commented out or is not set?
      

The RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed.
To decrease the default limits, add or correct the following line in


/etc/ssh/sshd_config:

RekeyLimit 
              
            
          

Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.

To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.

To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in


/etc/ssh/sshd_config:


            PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.

When UsePAM is set to yes, PAM runs through account and session types properly. This is
important if you want to restrict access to services based off of IP, time or other factors of
the account. Additionally, you can make sure users inherit certain environment variables
on login or disallow access to the server.

To determine how the SSH daemon's UsePAM option is set, run the following command:

$ sudo grep -i UsePAM /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.

To enable PAM authentication, add or correct the following line in


/etc/ssh/sshd_config:

UsePAM yes
          

Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password.

To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in


/etc/ssh/sshd_config:

PermitRootLogin no
          

This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached.

To ensure ClientAliveInterval is set correctly, run the following command:
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveCountMax 
For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when
the ClientAliveInterval is set.  Starting with v8.2, a value of 0 disables the timeout
functionality completely.
If the option is set to a number greater than 0, then the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
      Is it the case that it is commented out or not configured properly?
      

The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message.

Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended.

Run the following command to see what the timeout interval is:
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveInterval 
      Is it the case that it is commented out or not configured properly?
      

SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.

            
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 
                
              
            
            
            
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.

            
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle.

SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.

To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:

$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.

The default SSH configuration disables support for .rhosts. The appropriate
configuration is used if no value is set for IgnoreRhosts.

To explicitly disable support for .rhosts files, add or correct the following line in


/etc/ssh/sshd_config:

IgnoreRhosts yes
          

Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere.

To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available.  This should be disabled.

            
To ensure this behavior is disabled, add or correct the following line in


/etc/ssh/sshd_config:

IgnoreUserKnownHosts yes
          

Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders.

To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.

The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding.

To explicitly disable X11 Forwarding, add or correct the following line in


/etc/ssh/sshd_config:

X11Forwarding no
          

If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user.

To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.

The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.

To explicitly enable StrictModes in SSH, add or correct the following line in


/etc/ssh/sshd_config:

StrictModes yes
          

Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use.

To determine how the SSH daemon's PrintLastLog option is set, run the following command:

$ sudo grep -i PrintLastLog /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Ensure that SSH will display the date and time of the last successful account logon.

The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.

To explicitly enable LastLog in SSH, add or correct the following line in


/etc/ssh/sshd_config:

PrintLastLog yes
          

When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display.

To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:

$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.
      Is it the case that the display proxy is listening on wildcard address?
      

The SSH daemon should prevent remote hosts from connecting to the proxy
display.

The default SSH configuration for X11UseLocalhost is yes,
which prevents remote hosts from connecting to the proxy display.

To explicitly prevent remote connections to the proxy display, add or correct
the following line in


/etc/ssh/sshd_config:

X11UseLocalhost yes
          

If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges.

To check if compression is enabled or set correctly, run the
following command:
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be no or delayed.
      Is it the case that it is commented out, or is not set to no or delayed?
      

Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression 
            
          

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation.
Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.

To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:

$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.

The default SSH configuration disallows authentication validation through Kerberos.
The appropriate configuration is used if no value is set for KerberosAuthentication.

To explicitly disable Kerberos authentication, add or correct the following line in


/etc/ssh/sshd_config:

KerberosAuthentication no
          

SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.

To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:

$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.

The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for HostbasedAuthentication.

To explicitly disable host-based authentication, add or correct the
following line in


/etc/ssh/sshd_config:

HostbasedAuthentication no
          

SSH environment options potentially allow users to bypass
access restriction in some configurations.

To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Ensure that users are not able to override environment variables of the SSH daemon.

The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.

To explicitly disable Environment options, add or correct the following


/etc/ssh/sshd_config:

PermitUserEnvironment no
          

Without the use of multifactor authentication, the ease of access to
privileged functions is greatly increased. Multifactor authentication
requires using two or more factors to achieve authentication.
A privileged account is defined as an information system account with
authorizations of a privileged user. 
The DoD CAC with DoD-approved PKI is an example of multifactor
authentication.

To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:

$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Enable SSH login with public keys.

The default SSH configuration enables authentication based on public keys. The appropriate
configuration is used if no value is set for PubkeyAuthentication.

To explicitly enable Public Key Authentication, add or correct the following


/etc/ssh/sshd_config:

PubkeyAuthentication yes
          

Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.

            
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.

Verify the operating system requires re-authentication
when using the "sudo" command to elevate privileges, run the following command:
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be:
/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number.
If conflicting results are returned, this is a finding.
      Is it the case that timestamp_timeout is not set with the appropriate value for sudo?
      

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

The su program allows to run commands with a substitute user and
group ID. It is commonly used to run commands as the root user. Limiting
access to such command is considered a good security practice.

Run the following command to check if the line is present:
grep pam_wheel /etc/pam.d/su
The output should contain the following line:
auth required pam_wheel.so use_uid
      Is it the case that the line is not in the file or it is commented?
      

To ensure that only users who are members of the wheel group can
run commands with altered privileges through the su command, make
sure that the following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid
            

Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.

            
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.

To determine if !authenticate has not been configured for sudo, run the following command:
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that !authenticate is specified in the sudo config files?
      

The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/.

Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.

            
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.

To determine if NOPASSWD has been configured for sudo, run the following command:
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that nopasswd is specified in the sudo config files?
      

The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.

Without re-authentication, users may access resources or perform tasks for which they do not
have authorization. When operating systems provide the capability to escalate a functional
capability, it is critical the user re-authenticate.

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?
      

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
They increase the risk to the platform by providing additional attack vectors.
User namespaces are used primarily for Linux containers. The value 0
disallows the use of user namespaces.

Verify that Oracle Linux 9 disables the use of user namespaces with the following commands:

Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.

The runtime status of the user.max_user_namespaces kernel parameter can be queried
by running the following command:
$ sysctl user.max_user_namespaces
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the user.max_user_namespaces kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0

To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set
to large non-zero value.

A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.

The runtime status of the kernel.core_pattern kernel parameter can be queried
by running the following command:
$ sysctl kernel.core_pattern
|/bin/false.

      Is it the case that the returned line does not have a value of "|/bin/false", or a line is not
returned and the need for core dumps is not documented with the Information
System Security Officer (ISSO) as an operational requirement?
      

To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false
          

A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.

Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.

Verify Oracle Linux 9 disables core dump backtraces by issuing the following command:

$ grep -i process /etc/systemd/coredump.conf

ProcessSizeMax=0
      Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
      

The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated.

A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.

Verify Oracle Linux 9 disables storing core dumps for all users by issuing the following command:

$ grep -i storage /etc/systemd/coredump.conf

Storage=none
      Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
      

The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently.

A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.

Verify that core dumps are disabled for all users, run the following command:
$ grep core /etc/security/limits.conf
*     hard   core    0
      Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"?
      

To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
*     hard   core    0
            

A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems.

To verify that acquiring, saving, and processing core dumps is disabled, run the
following command:
$ systemctl status systemd-coredump.socket
The output should be similar to:
● systemd-coredump.socket
   Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
   Active: inactive (dead) ...

      Is it the case that unit systemd-coredump.socket is not masked or running?
      

The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled.

Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service.

To check that the kdump service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled kdump
Output should indicate the kdump service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled kdump disabled

Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active kdump

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the kdump is masked, run the following command:
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "kdump" is loaded and not masked?
      

The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.

The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
        

Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes slub_debug=,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug='
The command should not return any output.
      Is it the case that SLUB/SLAB poisoning is not enabled?
      

To enable poisoning of SLUB/SLAB objects,
add the argument slub_debug=
               to the default
GRUB 2 command line for the Linux operating system.
To ensure that slub_debug=
               is added as a kernel command line
argument to newly installed kernels, add slub_debug=
               to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... slub_debug= ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="slub_debug="
            

Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR).

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes pti=on,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'pti=on'
The command should not return any output.
      Is it the case that Kernel page-table isolation is not enabled?
      

To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system.
To ensure that pti=on is added as a kernel command line
argument to newly installed kernels, add pti=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="pti=on"
        

Using interactive or recovery boot, the console user could disable auditing, firewalls,
or other services, weakening system security.

Inspect /etc/default/grub for any instances of
systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments.
Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates
that interactive boot is enabled at boot time and verify that
GRUB_DISABLE_RECOVERY=true to disable recovery boot.
      Is it the case that Interactive boot is enabled at boot time?
      

Oracle Linux 9 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Oracle Linux 9
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot.
Recovery booting must also be disabled. Confirm that
GRUB_DISABLE_RECOVERY=true is set in  /etc/default/grub.
It is also required to change the runtime configuration, run:

/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
            grub2-mkconfig -o /boot/grub2/grub.cfg
          

Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer.

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes vsyscall=none,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none'
The command should not return any output.
      Is it the case that vsyscalls are enabled?
      

To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system.
To ensure that vsyscall=none is added as a kernel command line
argument to newly installed kernels, add vsyscall=none to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="vsyscall=none"
        

Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes page_poison=1,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
The command should not return any output.
      Is it the case that page allocator poisoning is not enabled?
      

To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that page_poison=1 is added as a kernel command line
argument to newly installed kernels, add page_poison=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="page_poison=1"
            

In the event of a system failure, Oracle Linux 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.

Run the following command to determine the current status of the
systemd-journald service:
$ sudo systemctl is-active systemd-journald
If the service is running, it should return the following: active
      Is it the case that the systemd-journald service is not running?
      

The systemd-journald service is an essential component of
systemd.

The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service
          

By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat().

The runtime status of the fs.protected_hardlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_hardlinks
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1
          

By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat().

The runtime status of the fs.protected_symlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_symlinks
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1
          

This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted.

To check that the debug-shell service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled debug-shell
Output should indicate the debug-shell service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled debug-shell disabled

Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active debug-shell

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the debug-shell is masked, run the following command:
$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "debug-shell" is loaded and not masked?
      

SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.

            
By default, the debug-shell SystemD service is already disabled.

The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
          

Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented.

Verify that the IPSec service uses the system crypto policy.

If the ipsec service is not installed is not applicable.

Check to see if the "IPsec" service is active with the following command:

$ systemctl status ipsec

ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)

If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:

$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf

/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
      Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain include /etc/crypto-policies/back-ends/libreswan.config?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.

To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config
            

A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues.  These messages must
be forwarded to at least one monitored email address.

Find the list of alias maps used by the Postfix mail server:
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the root user:
$ sudo postmap -q root hash:/etc/aliases
The output should return an alias.
      Is it the case that the alias is not set?
      

Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
 is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
          

Unprivileged access to the kernel syslog can expose sensitive kernel
address information.

The runtime status of the kernel.dmesg_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.dmesg_restrict
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
          

Kernel profiling can reveal sensitive information about kernel behaviour.

The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried
by running the following command:
$ sysctl kernel.perf_event_paranoid
2.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2
          

Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0.

The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
The output of the command should indicate either:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2
The output of the command should not indicate:
kernel.kptr_restrict = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the /etc/sysctl.d directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2

Conflicting assignments are not allowed.
      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
      

To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=
              
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 
              
            

Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state.

The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried
by running the following command:
$ sysctl kernel.unprivileged_bpf_disabled
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1
          

Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).

The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried
by running the following command:
$ sysctl kernel.yama.ptrace_scope
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1
          

Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended.

Run the following command to ensure the TMOUT value is configured for all users
on the system:

$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh

The output should return the following:
TMOUT=
      Is it the case that the TMOUT value is not configured, is set to 0, or is not less than or equal to the expected setting?
      

Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity. A value of 0 (zero)
disables the automatic logout feature and is therefore not a compliant setting.
The value of TMOUT should be a positive integer, exported, and read only.
The TMOUT

setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT=
            
or
declare -xr TMOUT=
            
Using the typeset keyword is preferred for wider compatibility with ksh and other shells.

A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.

To ensure the system is configured to ignore the Ctrl-Alt-Del setting,
enter the following command:
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
The output should return:
CtrlAltDelBurstAction=none
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.?
      

By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

            
To configure the system to ignore the CtrlAltDelBurstAction

setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
          

A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.

To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
      

By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.

            
To configure the system to ignore the Ctrl-Alt-Del key sequence from the

command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
            
            
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.

Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.

Verify Oracle Linux 9 limits the number of concurrent sessions to
"" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?
      

Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 
            
          

By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account.

To ensure the failed password attempt policy is configured correctly, run the following command:

$ grep fail_interval /etc/security/faillock.conf
The output should show fail_interval =  where interval-in-seconds is  or greater.
      Is it the case that the "fail_interval" option is not set to ""
or less (but not "0"), the line is commented out, or the line is missing?
      

Utilizing pam_faillock.so, the fail_interval directive configures the system
to lock out an account after a number of incorrect login attempts within a specified time
period.

Ensure that the file /etc/security/faillock.conf contains the following entry:
fail_interval =  where interval-in-seconds is 
                
               or greater.


In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.

By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account.

Verify Oracle Linux 9 is configured to lock an account until released by an administrator
after  unsuccessful logon
attempts with the command:

$ grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = 
      Is it the case that the "unlock_time" option is not set to "",
the line is missing, or commented out?
      

This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so.

Ensure that the file /etc/security/faillock.conf contains the following entry:
unlock_time= where
interval-in-seconds is 
                
               or greater.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.

If unlock_time is set to 0, manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool.

The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise.  Encrypting this data mitigates
the risk of its loss if the system is lost.

Check the system partitions to determine if they are encrypted with the following command:
blkid

Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"

The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?
      

Oracle Linux 9 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.

            
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.


            
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
            
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.

            
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.


            
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Oracle Linux 9 Documentation web site:
            https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options
.

The shosts.equiv files are used to configure host-based authentication for the system via SSH.
Host-based authentication is not sufficient for preventing unauthorized access to the system,
as it does not require interactive identification and authentication of a connection request,
or for the use of two-factor authentication.

Verify that there are no shosts.equiv files on the system, run the following command:
$ find / -name shosts.equiv
      Is it the case that shosts.equiv files exist?
      

The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
          

The .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication.

To verify that there are no .shosts files
on the system, run the following command:
$ sudo find / -name '.shosts'
      Is it the case that .shosts files exist?
      

The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
          

Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented.

To verify that BIND uses the system crypto policy, check out that the BIND config file
/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config";
directive:
$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf
Verify that the directive is at the bottom of the options section of the config file.
      Is it the case that BIND is installed and the BIND config file doesn't contain the
include "/etc/crypto-policies/back-ends/bind.config";
 directive?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.

To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config";
            

ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware.

To verify ExecShield is enabled on 64-bit Oracle Linux 9 systems,
run the following command:
$ dmesg | grep '[NX|DX]*protection'
The output should not contain 'disabled by kernel command line option'.
Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes noexec=off,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'noexec=off'
The command should not return any output.
      Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.?
      

By default on Oracle Linux 9 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in /etc/default/grub.

Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques.

The runtime status of the kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_space
2.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
            

Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented.

Check that the symlink exists and target the correct Kerberos crypto policy, with the following command:
file /etc/krb5.conf.d/crypto-policies
If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy.
/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
      Is it the case that the symlink does not exist or points to a different target?
      

Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.

If unrestricted mail relaying is permitted, unauthorized senders could use this
host as a mail relay for the purpose of sending spam or other unauthorized
activity.

Verify that Oracle Linux 9 is configured to prevent unrestricted mail relaying,
run the following command:
$ sudo postconf -n smtpd_client_restrictions
      Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"?
      

Modify the /etc/postfix/main.cf file to restrict client connections
to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
              

Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.

Verify the TFTP daemon is configured to operate in secure mode.

Check if a TFTP server is installed with the following command:

$ sudo dnf list --installed tftp-server

tftp-server.x86_64    5.2-35.el9.x86_64


If a TFTP server is not installed, this is Not Applicable.


If a TFTP server is installed, check for the server arguments with the following command:

$ systemctl cat tftp | grep ExecStart=
ExecStart=/usr/sbin/in.tftpd -s 
      Is it the case that 'the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned'?
      

If running the Trivial File Transfer Protocol (TFTP) service is necessary,
it should be configured to change its root directory at startup. To do so,
find the path for the tftp systemd service:
$ sudo systemctl show tftp | grep FragmentPath=
FragmentPath=/etc/systemd/system/tftp.service

and ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s 
            
          

If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level.

Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?
      

Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE
            
          

Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.

The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried
by running the following command:
$ sysctl kernel.kexec_load_disabled
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1
          

When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms.

The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried
by running the following command:
$ sysctl net.core.bpf_jit_harden
2.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2
          

If a device file carries the SELinux type device_t or
unlabeled_t, then SELinux cannot properly restrict access to the
device file.

To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
      Is it the case that there is output?
      

Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.

          
To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
          $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.

Accounts providing no operational purpose provide additional opportunities for
system compromise. Unnecessary accounts include user accounts for individuals not
requiring access to the system and application accounts for applications not installed
on the system.

To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?
      

Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
            
          

If an unauthorized user obtains the private SSH host key file, the host could be
impersonated.

To check the permissions of /etc/ssh/*_key,
run the command:
$ ls -l /etc/ssh/*_key
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/ssh/*_key does not have unix mode -rw-------?
      

SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.

If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.

To check the permissions of /etc/ssh/*.pub,
run the command:
$ ls -l /etc/ssh/*.pub
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?
      

 To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
        

If the operating system allows any user to make changes to software
libraries, then those changes might be implemented without undergoing the
appropriate testing and approvals that are part of a robust change management
process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with
escalated privileges. Only qualified and authorized individuals must be
allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications.

Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
      Is it the case that any system commands are returned and is not group-owned by a required system account?
      

System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE
              
            

System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.

Verify the system commands contained in the following directories are owned by "root" with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
      Is it the case that any system commands are found to not be owned by root?
      

System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
              
            

System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.

Verify the system commands contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \;
      Is it the case that any system commands are found to be group-writable or world-writable?
      

System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
              
            

Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.

To check the group ownership of /etc/ssh/sshd_config,
run the command:
$ ls -lL /etc/ssh/sshd_config
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/ssh/sshd_config does not have a group owner of
root
?
      

To properly set the group owner of /etc/ssh/sshd_config, run the command:

  $ sudo chgrp root /etc/ssh/sshd_config
        

Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.

To check the ownership of /etc/ssh/sshd_config,
run the command:
$ ls -lL /etc/ssh/sshd_config
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/ssh/sshd_config does not have an owner of root?
      

To properly set the owner of /etc/ssh/sshd_config, run the command:

  $ sudo chown root /etc/ssh/sshd_config 
        

Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.

To check the permissions of /etc/ssh/sshd_config,
run the command:
$ ls -l /etc/ssh/sshd_config
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------?
      

To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
        

Failing to set the sticky bit on public directories allows unauthorized users to delete files
in the directory structure.

            
The only authorized public directories are those temporary directories supplied with the
system, or those designed to be temporary file repositories. The setting is normally reserved
for directories used by the system, by users for temporary file storage (such as /tmp),
and for directories requiring global read/write access.

To find world-writable directories that lack the sticky bit, run the following command:
$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
fixtext: |-
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.

Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:

$ chmod a+t [World-Writable Directory]
srg_requirement:
A sticky bit must be set on all Oracle Linux 9 public directories to prevent unauthorized and unintended information transferred via shared system resources.
      Is it the case that any world-writable directories are missing the sticky bit?
      

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.

To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
            
          

Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed.

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid group:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid group should be located.
      Is it the case that there is output?
      

If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in /etc/group
or in /usr/lib/group if nss-altfiles are configured to be used
in /etc/nsswitch.conf.

Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
          

Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed.

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid user:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid user should be located.
      Is it the case that files exist that are not owned by a valid user?
      

If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.

Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
          

Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon.

To verify that all user initialization files have a mode of 0740 or
less permissive, run the following command:
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output.
      Is it the case that they are not 0740 or more permissive?
      

Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
            
          

If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should.

To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?
      

Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
            

This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory.

Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users.

To verify the assigned home directory of all interactive user home directories
have a mode of 0750 or less permissive, run the following command:
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions.
      Is it the case that they are more permissive?
      

Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
            
          

Allowing a user account to own a world-writable directory is undesirable because it allows the
owner of that directory to remove or replace any files that may be placed in the directory by
other users.

The following command will discover and print world-writable directories that
are not owned by root. Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print
      Is it the case that there are world-writable directories not owned by root?
      

All directories in local partitions which are world-writable should be owned by root.
If any world-writable directories are not owned by root, this should be investigated.
Following this, the files should be deleted or assigned to root user.

Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system.

Verify the system-wide shared library directories are group-owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
      Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?
      

System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the  directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR
              
            

Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system.

Verify the system-wide shared library directories are owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
      Is it the case that any system-wide shared library directory is not owned by root?
      

System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the  directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR
              
            

If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing
and approvals that are part of a robust change management process.

This requirement applies to operating systems with software libraries that are accessible
and configurable, as in the case of interpreted languages. Software libraries also include
privileged programs which execute with escalated privileges. Only qualified and authorized
individuals must be allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications.

Shared libraries are stored in the following directories:
/lib
/lib64
/usr/lib
/usr/lib64

To find shared libraries that are group-writable or world-writable,
run the following command for each directory DIR which contains shared libraries:
$ sudo find -L DIR -perm /022 -type d
      Is it the case that any of these files are group-writable or world-writable?
      

System-wide shared library directories, which contain are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All sub-directories in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
              
            

If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing and
approvals that are part of a robust change management process.

This requirement applies to operating systems with software libraries that are
accessible and configurable, as in the case of interpreted languages. Software libraries
also include privileged programs which execute with escalated privileges. Only qualified
and authorized individuals must be allowed to obtain access to information system components
for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library files are group-owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;
      Is it the case that any system wide shared library file is returned and is not group-owned by a required system account?
      

System-wide library files are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
$ sudo chgrp root FILE
              
            

Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.

Verify the system-wide shared library files are owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;
      Is it the case that any system wide shared library file is not owned by root?
      

System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
              
            

Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.

Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \;
      Is it the case that any system-wide shared library file is found to be group-writable or world-writable?
      

System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
              
            

The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.

To check the group ownership of /boot/grub2/grub.cfg,
run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /boot/grub2/grub.cfg does not have a group owner of
root
?
      

The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.

To properly set the group owner of /boot/grub2/grub.cfg, run the command:

  $ sudo chgrp root /boot/grub2/grub.cfg
          

Only root should be able to modify important boot parameters.

To check the ownership of /boot/grub2/grub.cfg,
run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following owner:
root
      Is it the case that /boot/grub2/grub.cfg does not have an owner of root?
      

The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.

To properly set the owner of /boot/grub2/grub.cfg, run the command:

  $ sudo chown root /boot/grub2/grub.cfg 
          

The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.

To check the group ownership of /etc/group,
run the command:
$ ls -lL /etc/group
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/group does not have a group owner of
root
?
      

 To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
            

The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.

To check the group ownership of /etc/group-,
run the command:
$ ls -lL /etc/group-
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/group- does not have a group owner of
root
?
      

 To properly set the group owner of /etc/group-, run the command:
$ sudo chgrp root /etc/group-
            

The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.

To check the ownership of /etc/group,
run the command:
$ ls -lL /etc/group
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/group does not have an owner of root?
      

 To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group 
            

The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.

To check the ownership of /etc/group-,
run the command:
$ ls -lL /etc/group-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/group- does not have an owner of root?
      

 To properly set the owner of /etc/group-, run the command:
$ sudo chown root /etc/group- 
            

The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.

To check the permissions of /etc/group,
run the command:
$ ls -l /etc/group
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/group does not have unix mode -rw-r--r--?
      

To properly set the permissions of /etc/group, run the command:
$ sudo chmod 0644 /etc/group
            

The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.

To check the permissions of /etc/group-,
run the command:
$ ls -l /etc/group-
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/group- does not have unix mode -rw-r--r--?
      

To properly set the permissions of /etc/group-, run the command:
$ sudo chmod 0644 /etc/group-
            

The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.

To check the group ownership of /etc/gshadow,
run the command:
$ ls -lL /etc/gshadow
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/gshadow does not have a group owner of
root
?
      

 To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
            

The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.

To check the group ownership of /etc/gshadow-,
run the command:
$ ls -lL /etc/gshadow-
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/gshadow- does not have a group owner of
root
?
      

 To properly set the group owner of /etc/gshadow-, run the command:
$ sudo chgrp root /etc/gshadow-
            

The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.

To check the ownership of /etc/gshadow,
run the command:
$ ls -lL /etc/gshadow
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/gshadow does not have an owner of root?
      

 To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
            

The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.

To check the ownership of /etc/gshadow-,
run the command:
$ ls -lL /etc/gshadow-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/gshadow- does not have an owner of root?
      

 To properly set the owner of /etc/gshadow-, run the command:
$ sudo chown root /etc/gshadow- 
            

The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.

To check the permissions of /etc/gshadow,
run the command:
$ ls -l /etc/gshadow
If properly configured, the output should indicate the following permissions:
----------
      Is it the case that /etc/gshadow does not have unix mode ----------?
      

To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
            

The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security.

To check the permissions of /etc/gshadow-,
run the command:
$ ls -l /etc/gshadow-
If properly configured, the output should indicate the following permissions:
----------
      Is it the case that /etc/gshadow- does not have unix mode ----------?
      

To properly set the permissions of /etc/gshadow-, run the command:
$ sudo chmod 0000 /etc/gshadow-
            

The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.

To check the group ownership of /etc/passwd,
run the command:
$ ls -lL /etc/passwd
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/passwd does not have a group owner of
root
?
      

 To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
            

The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security.

To check the group ownership of /etc/passwd-,
run the command:
$ ls -lL /etc/passwd-
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/passwd- does not have a group owner of
root
?
      

 To properly set the group owner of /etc/passwd-, run the command:
$ sudo chgrp root /etc/passwd-
            

The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.

To check the ownership of /etc/passwd,
run the command:
$ ls -lL /etc/passwd
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/passwd does not have an owner of root?
      

 To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
            

The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security.

To check the ownership of /etc/passwd-,
run the command:
$ ls -lL /etc/passwd-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/passwd- does not have an owner of root?
      

 To properly set the owner of /etc/passwd-, run the command:
$ sudo chown root /etc/passwd- 
            

If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.

To check the permissions of /etc/passwd,
run the command:
$ ls -l /etc/passwd
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/passwd does not have unix mode -rw-r--r--?
      

To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
            

The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security.

To check the permissions of /etc/passwd-,
run the command:
$ ls -l /etc/passwd-
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/passwd- does not have unix mode -rw-r--r--?
      

To properly set the permissions of /etc/passwd-, run the command:
$ sudo chmod 0644 /etc/passwd-
            

The /etc/shadow file stores password hashes. Protection of this file is
critical for system security.

To check the group ownership of /etc/shadow,
run the command:
$ ls -lL /etc/shadow
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/shadow does not have a group owner of
root
?
      

 To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
            

The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.

To check the group ownership of /etc/shadow-,
run the command:
$ ls -lL /etc/shadow-
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/shadow- does not have a group owner of
root
?
      

 To properly set the group owner of /etc/shadow-, run the command:
$ sudo chgrp root /etc/shadow-
            

The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.

To check the ownership of /etc/shadow,
run the command:
$ ls -lL /etc/shadow
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/shadow does not have an owner of root?
      

 To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow 
            

The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.

To check the ownership of /etc/shadow-,
run the command:
$ ls -lL /etc/shadow-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/shadow- does not have an owner of root?
      

 To properly set the owner of /etc/shadow-, run the command:
$ sudo chown root /etc/shadow- 
            

The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.

To check the permissions of /etc/shadow-,
run the command:
$ ls -l /etc/shadow-
If properly configured, the output should indicate the following permissions:
----------
      Is it the case that /etc/shadow- does not have unix mode ----------?
      

To properly set the permissions of /etc/shadow-, run the command:
$ sudo chmod 0000 /etc/shadow-
            

The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.

To check the permissions of /etc/shadow,
run the command:
$ ls -l /etc/shadow
If properly configured, the output should indicate the following permissions:
----------
      Is it the case that /etc/shadow does not have unix mode ----------?
      

To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
            

The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel.

To check the group ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /var/log does not have a group owner of
root
?
      

 To properly set the group owner of /var/log, run the command:
$ sudo chgrp root /var/log
            

The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel.

To check the ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log does not have an owner of root?
      

 To properly set the owner of /var/log, run the command:
$ sudo chown root /var/log 
            

The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel.

To check the permissions of /var/log,
run the command:
$ ls -l /var/log
If properly configured, the output should indicate the following permissions:
drwxr-xr-x
      Is it the case that /var/log does not have unix mode drwxr-xr-x?
      

To properly set the permissions of /var/log, run the command:
$ sudo chmod 0755 /var/log
            

The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel.

To check the group ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /var/log/messages does not have a group owner of
root
?
      

 To properly set the group owner of /var/log/messages, run the command:
$ sudo chgrp root /var/log/messages
            

The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel.

To check the ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log/messages does not have an owner of root?
      

 To properly set the owner of /var/log/messages, run the command:
$ sudo chown root /var/log/messages 
            

The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel.

To check the permissions of /var/log/messages,
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
-rw-r-----
      Is it the case that /var/log/messages does not have unix mode -rw-r-----?
      

To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
            

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the group-owner of each audit tool by running the following command:

$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not group-owned by root?
      

Oracle Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Audit tools must have the correct group owner.

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the owner of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not owned by root?
      

Oracle Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Audit tools must have the correct owner.

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.

Check the octal permission of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules
      Is it the case that any of these files have more permissive permissions than 0755?
      

Oracle Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Audit tools must have a mode of 0755 or less permissive.

Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.

To check the permissions of /etc/cron.weekly,
run the command:
$ ls -l /etc/cron.weekly
If properly configured, the output should indicate the following permissions:
-rwx------
      Is it the case that /etc/cron.weekly does not have unix mode -rwx------?
      

To properly set the permissions of /etc/cron.weekly, run the command:
$ sudo chmod 0700 /etc/cron.weekly
        

Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.

To check the group ownership of /etc/crontab,
run the command:
$ ls -lL /etc/crontab
If properly configured, the output should indicate the following group-owner:

  root 
  
      Is it the case that /etc/crontab does not have a group owner of
root
?
      

To properly set the group owner of /etc/crontab, run the command:

  $ sudo chgrp root /etc/crontab
        

Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.

To check the ownership of /etc/crontab,
run the command:
$ ls -lL /etc/crontab
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/crontab does not have an owner of root?
      

To properly set the owner of /etc/crontab, run the command:

  $ sudo chown root /etc/crontab 
        

Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.

To check the permissions of /etc/crontab,
run the command:
$ ls -l /etc/crontab
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/crontab does not have unix mode -rw-------?
      

To properly set the permissions of /etc/crontab, run the command:
$ sudo chmod 0600 /etc/crontab
        

An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.

Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?
      

If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.

If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned.

To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.

Verify that Oracle Linux 9 contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
      Is it the case that output is produced and the accounts listed are interactive user accounts?
      

Change user IDs (UIDs), or delete accounts, so each has a unique name.

If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own.

Verify that interactive users on the system have a home directory assigned with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined.
      Is it the case that users home directory is not defined?
      

Assign home directories to all interactive users that currently do not
have a home directory assigned.

This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /.

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group.

To ensure all GIDs referenced in /etc/passwd are defined in /etc/group,
run the following command:
$ sudo pwck -qr
There should be no output.
      Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group?
      

Add a group to the system for each GID referenced without a corresponding group.

To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.

Run the following command to check for duplicate group names:
Check that the operating system contains no duplicate Group ID (GID) for interactive users by running the following command:

    cut -d : -f 3 /etc/group | uniq -d

If output is produced, this is a finding.
Configure the operating system to contain no duplicate GIDs.
Edit the file "/etc/group" and provide each group that has a duplicate GID with a unique GID.
      Is it the case that the system has duplicate group ids?
      

Change the group name or delete groups, so each has a unique id.

Not having the correct SELinux context on the pam_faillock.so records directory may lead to
unauthorized access to the directory.

If the system does not have SELinux enabled and enforcing a targeted policy, or if the
pam_faillock.so module is not configured for use, this requirement is not applicable.

Verify the location of the non-default tally directory for the pam_faillock.so module with
the following command:

$ sudo grep -w dir /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock
      Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
      

The dir configuration option in PAM pam_faillock.so module defines where the lockout
records is stored. The configured directory must have the correct SELinux context.

If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
password guessing attacks.

Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/system-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so?
      

The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.

If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
password guessing attacks.

Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so?
      

The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.

By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account.

Verify Oracle Linux 9 is configured to lock an account after 
unsuccessful logon attempts with the command:

$ grep 'deny =' /etc/security/faillock.conf
deny = .
      Is it the case that the "deny" option is not set to ""
or less (but not "0"), is missing or commented out?
      

This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.
Ensure that the file /etc/security/faillock.conf contains the following entry:
deny = 
Where count should be less than or equal to
 and greater than 0.

In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.

By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account.

Verify Oracle Linux 9 is configured to lock the root account after 
unsuccessful logon attempts with the command:

$ grep even_deny_root /etc/security/faillock.conf
even_deny_root
      Is it the case that the "even_deny_root" option is not set, is missing or commented out?
      

This rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_faillock.so.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.

Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.

Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:

$ sudo grep audit /etc/security/faillock.conf

audit
      Is it the case that the "audit" option is not set, is missing or commented out?
      

PAM faillock locks an account due to excessive password failures, this event must be logged.

Locking out user accounts after a number of incorrect attempts prevents direct password
guessing attacks. In combination with the silent option, user enumeration attacks
are also mitigated.

To ensure the tally directory is configured correctly, run the following command:
$ sudo grep 'dir =' /etc/security/faillock.conf
The output should show that dir is set to something other than "/var/run/faillock"
      Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?
      

This rule ensures that the system lock out accounts using pam_faillock.so persist
after system reboot. From "pam_faillock" man pages:
Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.

The chosen profile expects the directory to be 
                
              .

To configure the tally directory, add the following line to /etc/security/faillock.conf:
dir = 
              
            

If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.

            

Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?
      

Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting 
                USER
               and 
                YYYY-MM-DD
              
appropriately:
$ sudo chage -E YYYY-MM-DD USER
              
              
                YYYY-MM-DD
               indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours.

If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access.

Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?
      

Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
            
          

Ensuring shells are not given to system accounts upon login makes it more difficult for
attackers to make use of system accounts.

To obtain a listing of all users, their UIDs, and their shells, run the command:
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID
numbers less than 1000, other than root.
      Is it the case that any system account other than root has a login shell?
      

Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.

              
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
              
            

If local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own.

Verify all local interactive users on Oracle Linux 9 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?
      

All local interactive user accounts, upon creation, should be assigned a home directory.

            
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:

            
            CREATE_HOME yes
          

The executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO).

Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?
      

Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory.

The umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system.

Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ sudo find /home -maxdepth 2 -type f -name ".[^.]*" -exec grep -iH -d skip --exclude=.bash_history umask {} \;

/home/wadea/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/wadea/.bash_history:grep -i umask /etc/login.defs
      Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"?
      

Remove the UMASK environment variable from all interactive users initialization files.

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
      

To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=
                  
                
              
If a password is currently on the verge of expiration, then

                
              
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 
                
               day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information.

Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack.

Verify Oracle Linux 9 enforces a delay of at least  seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 
      Is it the case that the value of "FAIL_DELAY" is not set to "" or greater, or the line is commented out?
      

To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
            
          

Logging remote access methods can be used to trace the decrease the risks
associated with remote user access management. It can also be used to spot
cyber attacks and ensure ongoing compliance with organizational policies
surrounding the use of remote access methods.

To verify that remote access methods are logging to rsyslog,
run the following command:

grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.*

The output should contain auth.*, authpriv.*, and daemon.*
pointing to a log file.
      Is it the case that remote access methods are not logging to rsyslog?
      

Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The /etc/rsyslog.conf or
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:

    auth.*;authpriv.*                              /var/log/secure
    daemon.*                                       /var/log/messages

          

A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.

To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
 *.* @
or
*.* action(type="omfwd" ... target="" protocol="udp")
If using TCP, a line similar to the following should be present:
 *.* @@
or
*.* action(type="omfwd" ... target="" protocol="tcp")
If using RELP, a line similar to the following should be present:
 *.* :omrelp:
or
*.* action(type="omfwd" ... target="" protocol="relp")
      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?
      

To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting 
              
                
              
             appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.

To use UDP for log message delivery:
*.* @
                
              
            
            
Or in RainerScript:
*.* action(type="omfwd" ... target="
                
              " protocol="udp")
            
To use TCP for log message delivery:
*.* @@
                
              
            
            
Or in RainerScript:
*.* action(type="omfwd" ... target="
                
              " protocol="tcp")
            
To use RELP for log message delivery:
*.* :omrelp:
                
              
            
            
Or in RainerScript:
*.* action(type="omfwd" ... target="
                
              " protocol="relp")
            
There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.

Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users.

Verify that cron is logging to rsyslog,
run the following command:
grep -rni "cron\.\*" /etc/rsyslog.*
cron.*                                                  /var/log/cron
or
cron.* action(type="omfile" file="/var/log/cron")
      Is it the case that cron is not logging to rsyslog?
      

Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
If the legacy syntax is used:
cron.*                                                  /var/log/cron
If the modern syntax (RainerScript) is used:
cron.* action(type="omfile" file="/var/log/cron")
          

The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access.

Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command:

$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
The output should be
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
      Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name?
      

Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging.  Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.

When using rsyslogd to off-load logs the remote system must be authenticated.

Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$ActionSendStreamDriverAuthMode x509/name
Alternatively, use the RainerScript syntax:
action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")
          

The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access.

Verify the operating system encrypts audit records off-loaded onto a different system
or media from the system being audited with the following commands:

$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

The output should be:

/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
      Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1?
      

Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging.  Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.

When using rsyslogd to off-load logs off a encrpytion system must be used.

Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$ActionSendStreamDriverMode 1

Alternatively, use the RainerScript syntax:
action(type="omfwd" ... StreamDriverMode="1")
          

The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access.

Verify the operating system encrypts audit records off-loaded onto a different system
or media from the system being audited with the following commands:

$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

The output should be:

/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
      Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls?
      

Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging.  Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.

When using rsyslogd to off-load logs off an encryption system must be used.

Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$DefaultNetstreamDriver gtls

Alternatively, use the RainerScript syntax:
global(DefaultNetstreamDriver="gtls")
          

Any process which receives messages from the network incurs some risk of receiving malicious
messages. This risk can be eliminated for rsyslog by configuring it not to listen on the
network.

Verify that the system is not accepting "rsyslog" messages from other systems unless it is
documented as a log aggregation server.
Display the contents of the rsyslog configuration files:
find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \;

If any of the below lines are found, ask to see the documentation for the system being used
for log aggregation:

If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

      Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system?
      

The rsyslog daemon should not accept remote messages unless the system acts as a log
server. To ensure that it is not listening on the network, ensure any of the following lines
are not found in rsyslog configuration files.

If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
            

If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

          

Nftables is modern kernel module for controling network connections coming into a system.
Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.

Verify "nftables" is configured to allow rate limits on any connection to the system with the following command:

Verify "firewalld" has "nftables" set as the default backend:

$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf

# FirewallBackend
FirewallBackend=nftables
      Is it the case that the "nftables" is not set as the "firewallbackend"?
      

Firewalld can be configured with many backends, such as nftables.

The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources.

Verify that there are no wireless interfaces configured on the system
with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ nmcli device status
DEVICE          TYPE      STATE         CONNECTION
virbr0          bridge    connected     virbr0
wlp7s0          wifi      connected     wifiSSID
enp6s0          ethernet  disconnected  --
p2p-dev-wlp7s0  wifi-p2p  disconnected  --
lo              loopback  unmanaged     --
virbr0-nic      tun       unmanaged     --
      Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)?
      

Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.

              

Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
            

To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.

Verify that Oracle Linux 9 has a DNS mode configured in Network Manager.

$ NetworkManager --print-config
[main]
dns=
      Is it the case that the dns key under main does not exist or is not set to "none" or "default"?
      

The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.

To provide availability for name resolution services, multiple redundant
name servers are mandated. A failure in name resolution could lead to the
failure of security functions requiring name resolution, which may include
time synchronization, centralized authentication, and remote system logging.

Verify that DNS servers have been configured properly, perform the following:
$ sudo grep nameserver /etc/resolv.conf
      Is it the case that less than two lines are returned that are not commented out?
      

Determine whether the system is using local or DNS name resolution with the
following command:
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf"
file, the "/etc/resolv.conf" file must be empty.
Verify the "/etc/resolv.conf" file is empty with the following command:
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file,
then verify the following:

Multiple Domain Name System (DNS) Servers should be configured
in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address
           entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
        

Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.

          
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel.

Verify that Promiscuous mode of an interface is disabled, run the following command:
$ ip link | grep PROMISC
      Is it the case that any network device is in promiscuous mode?
      

The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
        

IP tunneling mechanisms can be used to bypass network filtering.

Verify that Oracle Linux 9 does not have unauthorized IP tunnels configured.


# yum list installed libreswan
libreswan.x86-64 3.20-5.el7_4


If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:

# systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)


If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following:
grep -rni conn /etc/ipsec.conf /etc/ipsec.d/
Verify any returned results for organizational approval.
      Is it the case that the IPSec tunnels are not approved?
      

Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(conn) configured in /etc/ipsec.conf and /etc/ipsec.d
exists is an approved organizational connection.

ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.

This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required."

The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
            

Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.

              
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.

The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
            

The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.

The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.log_martians
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1
            

The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.

The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.log_martians
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1
            

Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.

The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.rp_filter
The output of the command should indicate either:
net.ipv4.conf.all.rp_filter = 1

The output of the command should not indicate:
net.ipv4.conf.all.rp_filter = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent sysctl parameter configuration is performed by specifying the appropriate
assignment in any file located in the /etc/sysctl.d directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
net.ipv4.conf.all.rp_filter = 1


Conflicting assignments are not allowed.
      Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or is configured to be 0 or 2?
      

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
            

ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required.

The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
            

Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.

Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router.

The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
            

Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.

The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.rp_filter
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1
            

IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.

The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?
      

To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0
            

Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.

Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.

The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1
            

Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.

The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_ignore_bogus_error_responses
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
            

ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.send_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
            

ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.send_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
            

An illicit router advertisement message could result in a man-in-the-middle attack.

The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_ra
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0
            

An illicit ICMP redirect message could result in a man-in-the-middle attack.

The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
            

Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.

              
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.

The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
            

IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.

The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?
      

To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0
            

An illicit router advertisement message could result in a man-in-the-middle attack.

The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_ra
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0
            

An illicit ICMP redirect message could result in a man-in-the-middle attack.

The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
            

Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.

The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
            

A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.

The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.tcp_syncookies
1.

      Is it the case that the correct value is not returned?
      

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
            

If modification of login UIDs is not prevented, they can be changed by unprivileged users and
make auditing complicated or impossible.

To determine if the system is configured to make login UIDs immutable, run
one of the following commands.
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), run the following:
sudo grep immutable /etc/audit/rules.d/*.rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, run the following command:
sudo grep immutable /etc/audit/audit.rules
The following line should be returned:
--loginuid-immutable
      Is it the case that the system is not configured to make login UIDs immutable?
      

Configure kernel to prevent modification of login UIDs once they are set.
Changing login UIDs while this configuration is enforced requires special capabilities which
are not available to unprivileged users.
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make login UIDs
immutable:
--loginuid-immutable
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make login UIDs
immutable:
--loginuid-immutable
        

Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation.

Verify the audit system prevents unauthorized changes with the following command:

$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
-e 2

      Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"?
      

If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.

Untrusted Certificate Authorities (CA) can issue certificates, but they
may be issued by organizations or individuals that seek to compromise
DoD systems or by organizations with insufficient security controls. If
the CA used for verifying the certificate is not a DoD-approved CA,
trust of this CA has not been established.
The DoD will only accept PKI-certificates obtained from a DoD-approved
internal or external certificate authority. Reliance on CAs for the
establishment of secure sessions includes, for example, the use of
SSL/TLS certificates.

The operating system must only allow the use of DoD PKI-established
certificate authorities for verification of the establishment of
protected sessions.