CCE Identifiers in Guide to the Secure Configuration of Red Hat Enterprise Linux 10


CCE ID Rule Title Description
CCE-90578-6 Prefer to use a 64-bit Operating System when supported Prefer installation of 64-bit operating systems when the CPU supports it.
CCE-89944-3 Verify File Hashes with RPM Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: 
$ rpm -Va --noconfig | grep '^..5'
If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: 
$ rpm -qf FILENAME
The package can be reinstalled from a dnf repository using the command: 
$ sudo dnf reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command: 
$ sudo rpm -Uvh PACKAGENAME
CCE-90421-9 Verify and Correct Ownership with RPM The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with: 
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
run the following command to determine which package owns it: 
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --restore PACKAGENAME
CCE-88623-4 Verify and Correct File Permissions with RPM The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: 
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: 
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --restore PACKAGENAME
CCE-90477-1 Install AIDE The aide package can be installed with the following command: 
$ sudo dnf install aide
CCE-86942-0 Build and Test AIDE Database Run the following command to generate a new database: 
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: 
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command: 
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
CCE-86441-3 Configure AIDE to Verify the Audit Tools The operating system file integrity tool must be configured to protect the integrity of the audit tools.
CCE-86738-2 Configure Periodic Execution of AIDE At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
CCE-90177-7 Configure Notification of Post-AIDE Scan Details AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: 
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
CCE-90260-1 Configure AIDE to Use FIPS 140-2 for Validating Hashes By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: 
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
CCE-89640-7 Configure AIDE to Verify Access Control Lists (ACLs) By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
CCE-89625-8 Configure AIDE to Verify Extended Attributes By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
CCE-86839-8 Audit Tools Must Be Group-owned by Root Red Hat Enterprise Linux 10 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner.
CCE-87874-4 Audit Tools Must Be Owned by Root Red Hat Enterprise Linux 10 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct owner.
CCE-86578-2 Audit Tools Must Have a Mode of 0755 or Less Permissive Red Hat Enterprise Linux 10 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have a mode of 0755 or less permissive.
CCE-86982-6 Enable FIPS Mode To enable FIPS mode, run the following command: 
fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to
  • Loading the Dracut fips module
CCE-89047-5 Set kernel parameter 'crypto.fips_enabled' to 1 System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command: 
fips-mode-setup --enable
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
CCE-89668-8 Install crypto-policies package The crypto-policies package can be installed with the following command: 
$ sudo dnf install crypto-policies
CCE-86874-5 Configure BIND to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";
CCE-89085-5 Configure System Cryptography Policy To configure the system cryptography policy to use ciphers only from the policy, run the following command: 
$ sudo update-crypto-policies --set
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
CCE-88640-8 Configure Kerberos to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
CCE-88687-9 Configure Libreswan to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config
CCE-88980-8 Configure OpenSSL library to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
CCE-87082-4 Configure OpenSSL library to use TLS Encryption Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch this is expected: 
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2
Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected: 
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2
CCE-88557-4 Configure SSH to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
CCE-89725-6 The Installed Operating System Is Vendor Supported The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches.
CCE-89165-5 Encrypt Partitions Red Hat Enterprise Linux 10 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: 
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 10 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening .
CCE-90755-0 Ensure /boot Located On Separate Partition It is recommended that the /boot directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the noexec mount option. Eventually, the /boot partition can be configured not to be mounted automatically with the noauto mount option.
CCE-89532-6 Ensure /dev/shm is configured The /dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If /dev/shm is not configured, tmpfs will be mounted to /dev/shm by systemd.
CCE-88231-6 Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
CCE-90750-1 Ensure /opt Located On Separate Partition It is recommended that the /opt directory resides on a separate partition.
CCE-88936-0 Ensure /srv Located On Separate Partition If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
CCE-89606-8 Ensure /tmp Located On Separate Partition The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
CCE-90748-5 Ensure /usr Located On Separate Partition It is recommended that the /usr directory resides on a separate partition.
CCE-89166-3 Ensure /var Located On Separate Partition The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.
CCE-88355-3 Ensure /var/log Located On Separate Partition System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM.
CCE-89211-7 Ensure /var/log/audit Located On Separate Partition Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
CCE-87694-6 Ensure /var/tmp Located On Separate Partition The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
CCE-89797-5 Ensure tmp.mount Unit Is Enabled The /tmp directory is a world-writable directory used for temporary file storage. This directory is managed by systemd-tmpfiles. Ensure that the tmp.mount systemd unit is enabled.
CCE-88880-0 Remove the GDM Package Group By removing the gdm package, the system no longer has GNOME installed installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: 
$ sudo yum remove gdm
CCE-86609-5 Make sure that the dconf databases are up-to-date with regards to respective keyfiles By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the 
dconf update
command. More specifically, content present in the following directories: 
/etc/dconf/db/distro.d
/etc/dconf/db/local.d
CCE-87837-1 Disable the GNOME3 Login Restart and Shutdown Buttons In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true.

To disable, add or edit disable-restart-buttons to /etc/dconf/db/distro.d/00-security-settings. For example: 
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.
CCE-87918-9 Disable the GNOME3 Login User List In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/distro.d/00-security-settings. For example: 
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.
CCE-87751-4 Enable the GNOME3 Screen Locking On Smartcard Removal In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action to 'lock-screen'.

To enable, add or edit removal-action to /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.
CCE-87057-6 Disable GDM Automatic Login The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
AutomaticLoginEnable=false
CCE-88976-6 Disable GDM Guest Login The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
TimedLoginEnable=false
CCE-89756-1 Disable GNOME3 Automounting The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set automount to false in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
CCE-86628-5 Disable GNOME3 Automount Opening The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set automount-open to false in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
CCE-87588-0 Disable GNOME3 Automount running The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
CCE-89964-1 Enable GNOME3 Screensaver Idle Activation To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
CCE-87170-7 Set GNOME3 Screensaver Inactivity Timeout The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: 
[org/gnome/desktop/session]
idle-delay=uint32 900
CCE-88417-1 Set GNOME3 Screensaver Lock Delay After Activation Period To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
lock-delay=uint32
After the settings have been set, run dconf update.
CCE-89684-5 Enable GNOME3 Screensaver Lock After Idle Period To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
CCE-87356-2 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding 
/org/gnome/desktop/screensaver/lock-enabled
to /etc/dconf/db/local.d/locks/00-security-settings. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
CCE-88476-7 Implement Blank Screensaver To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
CCE-88349-6 Ensure Users Cannot Change GNOME3 Screensaver Settings If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
CCE-88587-1 Ensure Users Cannot Change GNOME3 Session Idle Settings If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
CCE-90658-6 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to [''] in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/settings-daemon/plugins/media-keys]
logout=['']
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.
CCE-87100-4 Install sudo Package The sudo package can be installed with the following command: 
$ sudo dnf install sudo
CCE-87598-9 Verify Group Who Owns /etc/sudoers.d Directory To properly set the group owner of /etc/sudoers.d, run the command: 
$ sudo chgrp root /etc/sudoers.d
CCE-89589-6 Verify User Who Owns /etc/sudoers.d Directory To properly set the owner of /etc/sudoers.d, run the command: 
$ sudo chown root /etc/sudoers.d
CCE-89200-0 Verify Permissions On /etc/sudoers.d Directory To properly set the permissions of /etc/sudoers.d, run the command: 
$ sudo chmod 0750 /etc/sudoers.d
CCE-89613-4 Verify Group Who Owns /etc/sudoers File To properly set the group owner of /etc/sudoers, run the command: 
$ sudo chgrp root /etc/sudoers
CCE-87065-9 Verify User Who Owns /etc/sudoers File To properly set the owner of /etc/sudoers, run the command: 
$ sudo chown root /etc/sudoers
CCE-90690-9 Verify Permissions On /etc/sudoers File To properly set the permissions of /etc/sudoers, run the command: 
$ sudo chmod 0440 /etc/sudoers
CCE-88124-3 Ensure That the sudo Binary Has the Correct Permissions To properly set the permissions of /usr/bin/sudo, run the command: 
$ sudo chmod 4111 /usr/bin/sudo
CCE-90747-7 Ensure sudo Runs In A Minimal Environment - sudo env_reset The sudo env_reset tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Enterprise Linux 10, env_reset is enabled by default This should be enabled by making sure that the env_reset tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-90743-6 Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot The sudo ignore_dot tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 10, ignore_dot is enabled by default This should be enabled by making sure that the ignore_dot tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-89119-2 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC The sudo NOEXEC tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the NOEXEC tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-90076-1 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty The sudo requiretty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the requiretty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-89073-1 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-89611-8 Ensure Sudo Logfile Exists - sudo logfile A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.
CCE-89208-3 Ensure a dedicated group owns sudo Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is .
CCE-88892-5 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-87015-4 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
CCE-87457-8 Ensure Users Re-Authenticate for Privilege Escalation - sudo The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/."
CCE-88136-7 Require Re-Authentication When Using the sudo Command The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
CCE-87421-4 The operating system must restrict privilege elevation to authorized personnel The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
CCE-90002-7 Explicit arguments in sudo specifications All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
CCE-90660-2 Don't define allowed commands in sudoers by means of exclusion Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the sudoers file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.
CCE-90532-3 Don't target root user in the sudoers file The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used.
CCE-88855-2 Ensure invoking users password for privilege escalation when using sudo The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: 
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw
or if cvtsudoers not supported: 
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw
CCE-87541-9 Install cryptsetup Package The cryptsetup package can be installed with the following command: 
$ sudo dnf install cryptsetup
CCE-90403-7 Ensure gnutls-utils is installed The gnutls-utils package can be installed with the following command: 
$ sudo dnf install gnutls-utils
CCE-88703-4 Install libdnf-plugin-subscription-manager Package The libdnf-plugin-subscription-manager package can be installed with the following command: 
$ sudo dnf install libdnf-plugin-subscription-manager
CCE-87829-8 Ensure nss-tools is installed The nss-tools package can be installed with the following command: 
$ sudo dnf install nss-tools
CCE-89429-5 Install openscap-scanner Package The openscap-scanner package can be installed with the following command: 
$ sudo dnf install openscap-scanner
CCE-89689-4 Install scap-security-guide Package The scap-security-guide package can be installed with the following command: 
$ sudo dnf install scap-security-guide
CCE-88542-6 Install subscription-manager Package The subscription-manager package can be installed with the following command: 
$ sudo dnf install subscription-manager
CCE-87596-3 Uninstall gssproxy Package The gssproxy package can be removed with the following command: 
$ sudo dnf remove gssproxy
CCE-89809-8 Uninstall iprutils Package The iprutils package can be removed with the following command: 
$ sudo dnf remove iprutils
CCE-87654-0 Uninstall tuned Package The tuned package can be removed with the following command: 
$ sudo dnf remove tuned
CCE-87561-7 Install dnf-automatic Package The dnf-automatic package can be installed with the following command: 
$ sudo dnf install dnf-automatic
CCE-88515-2 Ensure dnf Removes Previous Package Versions dnf should be configured to remove previous software components after new versions have been installed. To configure dnf to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/dnf/dnf.conf.
CCE-86671-5 Configure dnf-automatic to Install Available Updates Automatically To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
CCE-87469-3 Configure dnf-automatic to Install Only Security Updates To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf.
CCE-88404-9 Ensure gpgcheck Enabled In Main dnf Configuration The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check package signatures before installing them, ensure the following line appears in /etc/dnf/dnf.conf in the [main] section: 
gpgcheck=1
CCE-89409-7 Ensure gpgcheck Enabled for Local Packages dnf should be configured to verify the signature(s) of local packages prior to installation. To configure dnf to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
CCE-88176-3 Ensure gpgcheck Enabled for All dnf Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
gpgcheck=0
CCE-88518-6 Ensure gpgcheck Enabled for Repository Metadata Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that dnf verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/dnf/dnf.conf.
CCE-88256-3 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: 
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: 
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: 
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
CCE-90249-4 Enable dnf-automatic Timer The dnf-automatic timer can be enabled with the following command: 
$ sudo systemctl enable dnf-automatic.timer
CCE-87407-3 Enable authselect Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the profile.
CCE-88261-3 Modify the System Login Banner To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.
CCE-86165-8 Ensure Local Login Warning Banner Is Configured Properly To configure the system local login warning banner edit the /etc/issue file. The contents of this file is displayed to users prior to login to local terminals. Replace the default text with a message compliant with the local site policy. The message should not contain information about operating system version, release, kernel version or patch level. The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text:
CCE-86169-0 Ensure Remote Login Warning Banner Is Configured Properly To configure the system remote login warning banner edit the /etc/issue.net file. The contents of this file is displayed to users prior to login from remote connections. Replace the default text with a message compliant with the local site policy. The message should not contain information about operating system version, release, kernel version or patch level. The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text:
CCE-86150-0 Ensure Message Of The Day Is Configured Properly To configure the system message of the day banner edit the /etc/motd file. Replace the default text with a message compliant with the local site policy. The message should not contain information about operating system version, release, kernel version or patch level. The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text:
CCE-89209-1 Verify Group Ownership of System Login Banner To properly set the group owner of /etc/issue, run the command: 
$ sudo chgrp root /etc/issue
CCE-88343-9 Verify Group Ownership of System Login Banner for Remote Connections To properly set the group owner of /etc/issue.net, run the command: 
$ sudo chgrp root /etc/issue.net
CCE-87687-0 Verify Group Ownership of Message of the Day Banner To properly set the group owner of /etc/motd, run the command: 
$ sudo chgrp root /etc/motd
CCE-88544-2 Verify ownership of System Login Banner To properly set the owner of /etc/issue, run the command: 
$ sudo chown root /etc/issue
CCE-86969-3 Verify ownership of System Login Banner for Remote Connections To properly set the owner of /etc/issue.net, run the command: 
$ sudo chown root /etc/issue.net
CCE-87043-6 Verify ownership of Message of the Day Banner To properly set the owner of /etc/motd, run the command: 
$ sudo chown root /etc/motd
CCE-86812-5 Verify permissions on System Login Banner To properly set the permissions of /etc/issue, run the command: 
$ sudo chmod 0644 /etc/issue
CCE-87831-4 Verify permissions on System Login Banner for Remote Connections To properly set the permissions of /etc/issue.net, run the command: 
$ sudo chmod 0644 /etc/issue.net
CCE-90411-0 Verify permissions on Message of the Day Banner To properly set the permissions of /etc/motd, run the command: 
$ sudo chmod 0644 /etc/motd
CCE-87417-2 Enable GNOME3 Login Warning Banner In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/distro.d/00-security-settings. For example: 
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
CCE-88901-4 Set the GNOME3 Login Warning Banner Text In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/distro.d/00-security-settings. For example: 
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
CCE-90527-3 Install pam_pwquality Package The libpwquality package can be installed with the following command: 
$ sudo dnf install libpwquality
CCE-89298-4 Disallow Configuration to Bypass Password Requirements for Privilege Escalation Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: 
$ sudo grep pam_succeed_if /etc/pam.d/sudo
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
CCE-88650-7 Ensure PAM Displays Last Logon/Access Notification To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to include showfailed option, such as: 
session     [default=1]    pam_lastlog.so showfailed
And make sure that the silent option is not set for this specific line.
CCE-90739-4 Set Up a Private Namespace in PAM Configuration To setup a private namespace add the following line to /etc/pam.d/login: 
session    required     pam_namespace.so
CCE-87657-3 Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.
CCE-88810-7 Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.
CCE-90568-7 An SELinux Context must be configured for the pam_faillock.so records directory The dir configuration option in PAM pam_faillock.so module defines where the lockout records is stored. The configured directory must have the correct SELinux context.
CCE-89749-6 Limit Password Reuse: password-auth Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: 
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than
CCE-89776-9 Limit Password Reuse: system-auth Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: 
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than
CCE-87288-7 Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.
CCE-90730-3 Account Lockouts Must Be Logged PAM faillock locks an account due to excessive password failures, this event must be logged.
CCE-87388-5 Lock Accounts After Failed Password Attempts This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to and greater than 0. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
CCE-87975-9 Configure the root Account for Failed Password Attempts This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
CCE-90182-7 Lock Accounts Must Persist This rule ensures that the system lock out accounts using pam_faillock.so persist after system reboot. From "pam_faillock" man pages: 
Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. The chosen profile expects the directory to be .
CCE-86672-3 Set Interval For Counting Failed Password Attempts Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
CCE-89250-5 Set Lockout Time for Failed Password Attempts This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.
CCE-89089-7 Ensure PAM Enforces Password Requirements - Minimum Digit Characters The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.
CCE-88171-4 Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words.
CCE-90363-3 Ensure PAM Enforces Password Requirements - Minimum Different Characters The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords.
CCE-90134-8 Ensure PAM Enforces Password Requirements - Enforce for root User The pam_pwquality module's enforce_for_root parameter controls requirements for enforcing password complexity for the root user. Enable the enforce_for_root setting in /etc/security/pwquality.conf to require the root user to use complex passwords.
CCE-90276-7 Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.
CCE-88844-6 Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters.
CCE-88015-3 Set Password Maximum Consecutive Repeating Characters The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters.
CCE-87289-5 Ensure PAM Enforces Password Requirements - Minimum Different Categories The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: 
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
CCE-87852-0 Ensure PAM Enforces Password Requirements - Minimum Length The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.
CCE-89297-6 Ensure PAM Enforces Password Requirements - Minimum Special Characters The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords.
CCE-89505-2 Ensure PAM password complexity module is enabled in password-auth To enable PAM password complexity in password-auth file: Edit the password section in /etc/pam.d/password-auth to show password requisite pam_pwquality.so.
CCE-89362-8 Ensure PAM password complexity module is enabled in system-auth To enable PAM password complexity in system-auth file: Edit the password section in /etc/pam.d/system-auth to show password requisite pam_pwquality.so.
CCE-90554-7 Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry= , or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
CCE-89959-1 Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.
CCE-90325-2 Set Password Hashing Algorithm in /etc/libuser.conf In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the algorithm for password hashing: 
crypt_style =
CCE-89508-6 Set Password Hashing Algorithm in /etc/login.defs In /etc/login.defs, add or update the following line to ensure the system will use as the hashing algorithm: 
ENCRYPT_METHOD
CCE-88661-4 Set PAM''s Password Hashing Algorithm - password-auth The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/password-auth, the password section of the file controls which PAM modules to execute during a password change. Set the pam_unix.so module in the password section to include the option and no other hashing algorithms as shown below: 
password    sufficient    pam_unix.so 
          other arguments...

This will help ensure that new passwords for local users will be stored using the algorithm.
CCE-88697-8 Set PAM''s Password Hashing Algorithm The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules to execute during a password change. Set the pam_unix.so module in the password section to include the option and no other hashing algorithms as shown below: 
password    sufficient    pam_unix.so 
          other arguments...

This will help ensure that new passwords for local users will be stored using the algorithm.
CCE-90508-3 Set Password Hashing Rounds in /etc/login.defs In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example: 
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
CCE-90212-2 Disable debug-shell SystemD Service SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command: 
$ sudo systemctl mask --now debug-shell.service
CCE-87627-6 Disable Ctrl-Alt-Del Burst Action By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: 
CtrlAltDelBurstAction=none
CCE-90035-7 Disable Ctrl-Alt-Del Reboot Activation By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: 
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or 
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
CCE-89661-3 Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 10 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 10 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of 
systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub. It is also required to change the runtime configuration, run: 
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg
CCE-88334-8 Configure Logind to terminate idle sessions after certain time of inactivity To configure logind service to terminate inactive user sessions after seconds, edit the file /etc/systemd/logind.conf. Ensure that there is a section 
[Login]
which contains the configuration 
StopIdleSessionSec=
.
CCE-89188-7 Require Authentication for Emergency Systemd Target Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.
CCE-90014-2 Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
CCE-87577-3 Install the tmux Package To enable console screen locking, install the tmux package. The tmux package can be installed with the following command: 
$ sudo dnf install tmux
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 10 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Instruct users to begin new terminal sessions with the following command: 
$ tmux
The console can now be locked with the following key combination: 
ctrl+b :lock-session
CCE-88723-2 Configure tmux to lock session after inactivity To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to a value greater than 0 and less than or equal to 900 in /etc/tmux.conf.
CCE-86847-1 Configure the tmux Lock Command To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf: 
set -g lock-command vlock
. The console can now be locked with the following key combination: 
ctrl+b :lock-session
CCE-86475-1 Configure the tmux lock session key binding To set a key binding for the screen locking in tmux terminal multiplexer, the session-lock command must be bound to a key. Add the following line to /etc/tmux.conf: 
bind X lock-session
. The console can now be locked with the following key combination: 
Ctrl+b Shift+x
CCE-86967-7 Prevent user from disabling the screen lock The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
CCE-86898-4 Install the opensc Package For Multifactor Authentication The opensc package can be installed with the following command: 
$ sudo dnf install opensc
CCE-88682-0 Install the pcsc-lite package The pcsc-lite package can be installed with the following command: 
$ sudo dnf install pcsc-lite
CCE-86642-6 Install Smart Card Packages For Multifactor Authentication Configure the operating system to implement multifactor authentication by installing the required package with the following command:
CCE-87363-8 Enable the pcscd Service The pcscd service can be enabled with the following command: 
$ sudo systemctl enable pcscd.service
CCE-90065-4 Configure opensc Smart Card Drivers The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To configure the OpenSC driver, edit the /etc/opensc.conf and add the following line into the file in the app default block, so it will look like: 
app default {
   ...
   card_drivers = ;
}
CCE-89474-1 Force opensc To Use Defined Smart Card Driver The OpenSC smart card middleware can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is . To force the OpenSC driver, edit the /etc/opensc.conf. Look for a line similar to: 
# force_card_driver = customcos;
and change it to: 
force_card_driver = ;
CCE-89811-4 Ensure All Accounts on the System Have Unique User IDs Change user IDs (UIDs), or delete accounts, so each has a unique name.
CCE-88135-9 Only Authorized Local User Accounts Exist on Operating System Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed software groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command: 
$ sudo userdel unauthorized_user
CCE-86908-1 Ensure All Groups on the System Have Unique Group ID Change the group name or delete groups, so each has a unique id.
CCE-88449-4 Ensure All Groups on the System Have Unique Group Names Change the group name or delete groups, so each has a unique name.
CCE-88966-7 Set Account Expiration Following Inactivity To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd: 
INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
CCE-89470-9 Assign Expiration Date to Temporary Accounts Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: 
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
CCE-90323-7 Ensure All Accounts on the System Have Unique Names Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: 
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
If a username is returned, change or delete the username.
CCE-87961-9 Set Password Maximum Age To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: 
PASS_MAX_DAYS
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
CCE-89307-3 Set Password Minimum Age To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: 
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is .
CCE-87452-9 Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line: 
PASS_MIN_LEN


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.
CCE-87137-6 Set Existing Passwords Maximum Age Configure non-compliant accounts to enforce a -day maximum password lifetime restriction by running the following command: 
$ sudo chage -M 
          USER
CCE-88296-9 Set Root Account Password Maximum Age Configure the root account to enforce a -day maximum password lifetime restriction by running the following command: 
$ sudo chage -M  root
CCE-87953-6 Set Existing Passwords Minimum Age Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: 
$ sudo chage -m 1 USER
CCE-87604-5 Set Existing Passwords Warning Age To configure how many days prior to password expiration that a warning will be issued to users, run the command: 
$ sudo chage --warndays 
          USER
The DoD requirement is 7, and CIS recommendation is no less than 7 days. This profile requirement is .
CCE-89628-2 Set Password Warning Age To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: 
PASS_WARN_AGE
The DoD requirement is 7. The profile requirement is .
CCE-86554-3 Set existing passwords a period of inactivity before they been locked Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: 
$ sudo chage --inactive 30USER
CCE-87644-1 Verify All Account Password Hashes are Shadowed If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
CCE-90070-4 Verify All Account Password Hashes are Shadowed with SHA512 Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: 
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
CCE-90359-1 Ensure all users last password change date is in the past All users should have a password change date in the past.
CCE-88891-7 Set number of Password Hashing Rounds - password-auth Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the rounds option for the pam_unix PAM module.

In file /etc/pam.d/password-auth append rounds= to the pam_unix.so entry, as shown below: 
password sufficient pam_unix.so ...existing_options... rounds=
The system's default number of rounds is 5000.
CCE-90063-9 Set number of Password Hashing Rounds - system-auth Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the rounds option for the pam_unix PAM module.

In file /etc/pam.d/system-auth append rounds= to the pam_unix.so entry, as shown below: 
password sufficient pam_unix.so ...existing_options... rounds=
The system's default number of rounds is 5000.
CCE-87466-9 All GIDs referenced in /etc/passwd must be defined in /etc/group Add a group to the system for each GID referenced without a corresponding group.
CCE-86640-0 Prevent Login to Accounts With Empty Password If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.
CCE-90491-2 Ensure There Are No Accounts With Blank or Null Passwords Check the "/etc/shadow" file for blank passwords with the following command: 
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: 
$ sudo passwd [username]
Lock an account: 
$ sudo passwd -l [username]
CCE-90050-6 Verify No .forward Files Exist The .forward file specifies an email address to forward the user's mail to.
CCE-89147-3 Verify No netrc Files Exist The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.
CCE-87552-6 Verify Only Root Has UID 0 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
CCE-90244-5 Verify Root Has A Primary GID 0 The root user should have a primary group of 0.
CCE-89099-6 Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty Ensure that the group referenced by var_pam_wheel_group_for_su variable and used as value for the pam_wheel.so group option exists and has no members. This empty group used by pam_wheel.so in /etc/pam.d/su ensures that no user can run commands with altered privileges through the su command.
CCE-89334-7 Ensure Authentication Required for Single User Mode Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.
CCE-87481-8 Direct root Logins Not Allowed To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux 10's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: 
$ sudo echo > /etc/securetty
CCE-90273-4 Ensure that System Accounts Are Locked Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than 1000. If any system account other than root, halt, sync, shutdown and nfsnobody has an unlocked password, disable it with the command: 
$ sudo usermod -L account
CCE-87448-7 Ensure that System Accounts Do Not Run a Shell Upon Login Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command: 
$ sudo usermod -s /sbin/nologin account
CCE-89728-0 Restrict Serial Port Root Logins To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 
ttyS0
ttyS1
CCE-89376-8 Restrict Virtual Console Root Logins To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: 
vc/1
vc/2
vc/3
vc/4
CCE-90595-0 Enforce usage of pam_wheel for su authentication To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su: 
auth required pam_wheel.so use_uid
CCE-87119-4 Enforce Usage of pam_wheel with Group Parameter for su Authentication To ensure that only users who are members of the group set in the group option of pam_wheel.so module can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su: 
auth required pam_wheel.so use_uid group=
CCE-88604-4 Ensure Home Directories are Created for New Users All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: 

CREATE_HOME yes
CCE-86822-4 Ensure the Logon Failure Delay is Set Correctly in login.defs To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: 
FAIL_DELAY
CCE-90751-9 Limit the Number of Concurrent Login Sessions Allowed Per User Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/: 
* hard maxlogins
CCE-88705-9 Configure Polyinstantiation of /tmp Directories To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: 
$ sudo mkdir --mode 000 /tmp/tmp-inst
Then, add the following entry to /etc/security/namespace.conf: 
/tmp     /tmp/tmp-inst/            level      root,adm
CCE-88424-7 Configure Polyinstantiation of /var/tmp Directories To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: 
$ sudo mkdir --mode 000 /var/tmp/tmp-inst
Then, add the following entry to /etc/security/namespace.conf: 
/var/tmp /var/tmp/tmp-inst/    level      root,adm
CCE-88163-1 Set Interactive Session Timeout Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in a file loaded by /etc/profile, e.g. /etc/profile.d/tmout.sh should read as follows: 
typeset -xr TMOUT=
or 
declare -xr TMOUT=
Using the typeset keyword is preferred for wider compatibility with ksh and other shells.
CCE-89225-7 User Initialization Files Must Be Group-Owned By The Primary Group Change the group owner of interactive users files to the group found in 
/etc/passwd
for the user. To change the group owner of a local interactive user home directory, use the following command: 
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
This rule ensures every initialization file related to an interactive user is group-owned by an interactive user.
CCE-90449-0 User Initialization Files Must Not Run World-Writable Programs Set the mode on files being executed by the user initialization files with the following command: 
$ sudo chmod o-w FILE
CCE-86981-8 User Initialization Files Must Be Owned By the Primary User Set the owner of the user initialization files for interactive users to the primary owner with the following command: 
$ sudo chown USER /home/USER/.*
This rule ensures every initialization file related to an interactive user is owned by an interactive user.
CCE-88926-1 Ensure that Users Path Contains Only Local Directories Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
CCE-89933-6 All Interactive Users Must Have A Home Directory Defined Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like /users, /tmp or /.
CCE-86659-0 All Interactive Users Home Directories Must Exist Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: 
$ sudo mkdir /home/USER
CCE-87195-4 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: 
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.
CCE-88043-5 All User Files and Directories In The Home Directory Must Have a Valid Owner Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive user's files and directories, use the following command: 
$ sudo chown -R USER /home/USER
This rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user.
CCE-87460-2 All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive Set the mode on files and directories in the local interactive user home directory with the following command: 
$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement.
CCE-87946-0 All Interactive User Home Directories Must Be Group-Owned By The Primary Group Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: 
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
CCE-88344-7 All Interactive User Home Directories Must Be Owned By The Primary User Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: 
$ sudo chown USER /home/USER
This rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory.
CCE-87771-2 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Set the mode of the user initialization files to 0740 with the following command: 
$ sudo chmod 0740 /home/USER/.INIT_FILE
CCE-89585-4 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Set the mode of the user initialization files, including the root user, to 0740 with the following commands: 
$ sudo chmod 0740 /root/.INIT_FILE
$ sudo chmod 0740 /home/USER/.INIT_FILE
CCE-86605-3 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: 
$ sudo chmod 0750 /home/USER
CCE-88150-8 Ensure that Root's Path Does Not Include World or Group-Writable Directories For each element in root's path, run: 
# ls -ld DIR
and ensure that write permissions are disabled for group and other.
CCE-88793-5 Ensure that Root's Path Does Not Include Relative Paths or Null Directories Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: 
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.
CCE-88580-6 Ensure the Default Bash Umask is Set Correctly To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: 
umask
CCE-90597-6 Ensure the Default C Shell Umask is Set Correctly To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: 
umask
CCE-89314-9 Ensure the Default Umask is Set Correctly in login.defs To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: 
UMASK
CCE-87651-6 Ensure the Default Umask is Set Correctly in /etc/profile To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 
umask
Note that /etc/profile also reads scrips within /etc/profile.d directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.
CCE-87122-8 Ensure the Default Umask is Set Correctly For Interactive Users Remove the UMASK environment variable from all interactive users initialization files.
CCE-87007-1 Disable Recovery Booting Red Hat Enterprise Linux 10 systems support an "recovery boot" option that can be used to prevent services from being started. The GRUB_DISABLE_RECOVERY configuration option in /etc/default/grub should be set to true to disable the generation of recovery mode menu entries. It is also required to change the runtime configuration, run: 
$ sudo grubby --update-kernel=ALL
CCE-87932-0 IOMMU configuration directive On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. To ensure that iommu=force is added as a kernel command line argument to newly installed kernels, add iommu=force to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... iommu=force ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="iommu=force"
Configure kernel to zero out memory before allocation To configure the kernel to zero out memory before allocating it, add the init_on_alloc=1 argument to the default GRUB 2 command line. To ensure that init_on_alloc=1 is added as a kernel command line argument to newly installed kernels, add init_on_alloc=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... init_on_alloc=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="init_on_alloc=1"
CCE-86521-2 Configure L1 Terminal Fault mitigations L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Select the appropriate mitigation by adding the argument l1tf= to the default GRUB 2 command line for the Linux operating system. To ensure that l1tf= is added as a kernel command line argument to newly installed kernels, add l1tf= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... l1tf= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="l1tf="
Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the following command: cat /sys/devices/system/cpu/vulnerabilities/l1tf
CCE-87067-5 Force kernel panic on uncorrected MCEs A Machine Check Exception is an error generated by the CPU itdetects an error in itself, memory or I/O devices. These errors may be corrected and generate a check log entry, if an error cannot be corrected the kernel may panic or SIGBUS. To force the kernel to panic on any uncorrected error reported by Machine Check set the MCE tolerance to zero by adding mce=0 to the default GRUB 2 command line for the Linux operating system. To ensure that mce=0 is added as a kernel command line argument to newly installed kernels, add mce=0 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... mce=0 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="mce=0"
CCE-88327-2 Configure Microarchitectural Data Sampling mitigation Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. When performing store, load, L1 refill operations, processors write data into temporary microarchitectural structures (buffers), and the data in the buffer can be forwarded to load operations as an optimization. Under certain conditions, data unrelated to the load operations can be speculatively forwarded from the buffers to a disclosure gadget which allows in turn to infer the value via a cache side channel attack. Select the appropriate mitigation by adding the argument mds= to the default GRUB 2 command line for the Linux operating system. To ensure that mds= is added as a kernel command line argument to newly installed kernels, add mds= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... mds= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="mds="
Not all processors are affected by all variants of MDS, but the mitigation mechanism is identical for all of them. Since Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the following command: cat /sys/devices/system/cpu/vulnerabilities/mds
CCE-89372-7 Ensure SMAP is not disabled during boot The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default since Linux kernel 3.7. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by the nosmap boot paramenter option. Check that the line 
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument nosmap. Run the following command to update command line for already installed kernels: 
# grubby --update-kernel=ALL --remove-args="nosmap"
CCE-89827-0 Ensure SMEP is not disabled during boot The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by the nosmep boot paramenter option. Check that the line 
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument nosmep. Run the following command to update command line for already installed kernels: 
# grubby --update-kernel=ALL --remove-args="nosmep"
CCE-90506-7 Enable randomization of the page allocator To enable randomization of the page allocator in the kernel, add the page_alloc.shuffle=1 argument to the default GRUB 2 command line. To ensure that page_alloc.shuffle=1 is added as a kernel command line argument to newly installed kernels, add page_alloc.shuffle=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... page_alloc.shuffle=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_alloc.shuffle=1"
CCE-88971-7 Enable Kernel Page-Table Isolation (KPTI) To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. To ensure that pti=on is added as a kernel command line argument to newly installed kernels, add pti=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
CCE-90519-0 Configure the confidence in TPM for entropy The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not credited entropy. Use rng_core.default_quality in the kernel command line to set the trust level on the hardware generators. The trust level defines the amount of entropy to credit. A value of 0 tells the system not to trust the hardware random number generators available, and doesn't credit any entropy to the pool. A value of 1000 assigns full confidence in the generators, and credits all the entropy it provides to the pool. Note that the value of rng_core.default_quality is global, affecting the trust on all hardware random number generators. Select the appropriate confidence by adding the argument rng_core.default_quality= to the default GRUB 2 command line for the Linux operating system. To ensure that rng_core.default_quality= is added as a kernel command line argument to newly installed kernels, add rng_core.default_quality= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="rng_core.default_quality="
CCE-89884-1 Disable merging of slabs with similar size The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflows overwriting objects in merged caches. To disable merging of slabs in the Kernel add the argument slab_nomerge=yes to the default GRUB 2 command line for the Linux operating system. To ensure that slab_nomerge=yes is added as a kernel command line argument to newly installed kernels, add slab_nomerge=yes to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slab_nomerge=yes"
CCE-89300-8 Configure Speculative Store Bypass Mitigation Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window. Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Select the appropriate SSB state by adding the argument spec_store_bypass_disable= to the default GRUB 2 command line for the Linux operating system. To ensure that spec_store_bypass_disable= is added as a kernel command line argument to newly installed kernels, add spec_store_bypass_disable= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="spec_store_bypass_disable="
CCE-90401-1 Enforce Spectre v2 mitigation Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch chosen by the attacker, even if the privilege level is different. Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Enforce the Spectre V2 mitigation by adding the argument spectre_v2=on to the default GRUB 2 command line for the Linux operating system. To ensure that spectre_v2=on is added as a kernel command line argument to newly installed kernels, add spectre_v2=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... spectre_v2=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="spectre_v2=on"
CCE-89168-9 Ensure debug-shell service is not enabled during boot systemd's debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for systemd related issues and should otherwise be disabled.

By default, the debug-shell systemd service is already disabled. Ensure the debug-shell is not enabled by the systemd.debug-shel=1 boot paramenter option. Check that the line 
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument systemd.debug-shell=1. Run the following command to update command line for already installed kernels: 
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
CCE-87153-3 Disable vsyscalls To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
CCE-88691-1 Verify /boot/grub2/grub.cfg Group Ownership The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command: 
$ sudo chgrp root /boot/grub2/grub.cfg
CCE-86797-8 Verify /boot/grub2/user.cfg Group Ownership The file /boot/grub2/user.cfg should be group-owned by the root group to prevent reading or modification of the file. To properly set the group owner of /boot/grub2/user.cfg, run the command: 
$ sudo chgrp root /boot/grub2/user.cfg
CCE-89438-6 Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command: 
$ sudo chown root /boot/grub2/grub.cfg
CCE-90573-7 Verify /boot/grub2/user.cfg User Ownership The file /boot/grub2/user.cfg should be owned by the root user to prevent reading or modification of the file. To properly set the owner of /boot/grub2/user.cfg, run the command: 
$ sudo chown root /boot/grub2/user.cfg
CCE-89290-1 Verify /boot/grub2/grub.cfg Permissions File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command: 
$ sudo chmod 600 /boot/grub2/grub.cfg
CCE-90099-3 Verify /boot/grub2/user.cfg Permissions File permissions for /boot/grub2/user.cfg should be set to 600. To properly set the permissions of /boot/grub2/user.cfg, run the command: 
$ sudo chmod 600 /boot/grub2/user.cfg
CCE-89960-9 Set the Boot Loader Admin Username to a Non-Default Value The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root'). 
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running: 
grubby --update-kernel=ALL
CCE-87614-4 Set Boot Loader Password in grub2 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command: 
# grub2-setpassword
When prompted, enter the password that was selected.

CCE-89685-2 Set the UEFI Boot Loader Admin Username to a Non-Default Value The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root'). 
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running: 
grubby --update-kernel=ALL
CCE-89236-4 Set the UEFI Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command: 
# grub2-setpassword
When prompted, enter the password that was selected.

CCE-88929-5 Enable Auditing to Start Prior to the Audit Daemon in zIPL To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit=1 included in its options.
To ensure that new kernels and boot entries continue to enable audit, add audit=1 to /etc/kernel/cmdline.
CCE-89871-8 Extend Audit Backlog Limit for the Audit Daemon in zIPL To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 included in its options.
To ensure that new kernels and boot entries continue to extend the audit log events queue, add audit_backlog_limit=8192 to /etc/kernel/cmdline.
Configure kernel to zero out memory before allocation in zIPL To ensure that the kernel is configured to zero out memory before allocation, check that all boot entries in /boot/loader/entries/*.conf have init_on_alloc=1 included in its options.
To ensure that new kernels and boot entries continue to zero out memory before allocation, add init_on_alloc=1 to /etc/kernel/cmdline.
Enable randomization of the page allocator in zIPL To enable the randomization of the page allocator in the kernel, check that all boot entries in /boot/loader/entries/*.conf have page_alloc.shuffle=1 included in its options.
To enable randomization of the page allocator also for newly installed kernels, add page_alloc.shuffle=1 to /etc/kernel/cmdline.
CCE-87936-1 Ensure debug-shell service is not enabled in zIPL systemd's debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for systemd related issues and should otherwise be disabled.

By default, the debug-shell systemd service is already disabled. Ensure the debug-shell is not enabled by the systemd.debug-shel=1 boot paramenter option. Check that not boot entries in /boot/loader/entries/*.conf have systemd.debug-shell=1 included in its options.
To ensure that new kernels and boot entries don't enable the debug-shell, check that systemd.debug-shell=1 is not present in /etc/kernel/cmdline.
Ensure all zIPL boot entries are BLS compliant Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that /etc/zipl.conf doesn't contain image = .
Ensure zIPL bootmap is up to date Make sure that /boot/bootmap is up to date.
Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to be updated to reflect the changes.
Run zipl command to generate an updated /boot/bootmap.
CCE-89223-2 Do not allow ACPI methods to be inserted/replaced at run time This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_ACPI_CUSTOM_METHOD, run the following command: grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-88152-4 Emulate Privileged Access Never (PAN) Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR0_EL1 temporarily. This configuration is available from kernel 4.10, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_ARM64_SW_TTBR0_PAN, run the following command: grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87210-1 Disable kernel support for MISC binaries Enabling CONFIG_BINFMT_MISC makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Python and DOS emulators. Once you have registered such a binary class with the kernel, you can start one of those programs simply by typing in its name at a shell prompt. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BINFMT_MISC, run the following command: grep CONFIG_BINFMT_MISC /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-89980-7 Enable support for BUG() Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this option for embedded systems with no facilities for reporting errors. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BUG, run the following command: grep CONFIG_BUG /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89202-6 Trigger a kernel BUG when data corruption is detected This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configuration is available from kernel 4.10. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BUG_ON_DATA_CORRUPTION, run the following command: grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90053-0 Disable compatibility with brk() Enabling compatiliby with brk() allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the cost of not being able to randomize the heap placement (ASLR). Unless legacy binaries need to run on the system, set CONFIG_COMPAT_BRK to "n". The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_BRK, run the following command: grep CONFIG_COMPAT_BRK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-88353-8 Disable the 32-bit vDSO Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting CONFIG_COMPAT_VDSO to y turns off the 32-bit VDSO and works aroud the glibc bug. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_VDSO, run the following command: grep CONFIG_COMPAT_VDSO /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-88628-3 Enable checks on credential management Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that this number never exceeds the usage count of the cred struct. Furthermore, if SELinux is enabled, this also checks that the security pointer in the cred struct is never seen to be invalid. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_CREDENTIALS, run the following command: grep CONFIG_DEBUG_CREDENTIALS /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90684-2 Disable kernel debugfs debugfs is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_FS, run the following command: grep CONFIG_DEBUG_FS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-86739-0 Enable checks on linked list manipulation Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_LIST, run the following command: grep CONFIG_DEBUG_LIST /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89355-2 Enable checks on notifier call chains Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_NOTIFIERS, run the following command: grep CONFIG_DEBUG_NOTIFIERS /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89292-7 Enable checks on scatter-gather (SG) table operations Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_SG, run the following command: grep CONFIG_DEBUG_SG /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89612-6 Warn on W+X mappings found at boot Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_WX, run the following command: grep CONFIG_DEBUG_WX /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90330-2 Configure Low Address Space To Protect From User Allocation This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEFAULT_MMAP_MIN_ADDR, run the following command: grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-* For each kernel installed, a line with value should be returned. If the system architecture is x86_64, the value should be 65536. If the system architecture is aarch64, the value should be 32768.
CCE-87428-9 Disable /dev/kmem virtual device support Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEVKMEM, run the following command: grep CONFIG_DEVKMEM /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-88438-7 Harden common str/mem functions against buffer overflows Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_FORTIFY_SOURCE, run the following command: grep CONFIG_FORTIFY_SOURCE /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87475-0 Harden memory copies between kernel and userspace This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack, or are part of the kernel text. This configuration is available from kernel 4.8, and may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY, run the following command: grep CONFIG_HARDENED_USERCOPY /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87652-4 Do not allow usercopy whitelist violations to fallback to object size This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, falling back to non-whitelisted hardened usercopy that checks the slab allocation size instead of the whitelist size. This configuration is available from kernel 4.16. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY_FALLBACK, run the following command: grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87786-0 Disable hibernation Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on reboot. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HIBERNATION, run the following command: grep CONFIG_HIBERNATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87905-6 Disable IA32 emulation Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_IA32_EMULATION, run the following command: grep CONFIG_IA32_EMULATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-89414-7 Disable kexec system call kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And like a reboot you can start any kernel with it, not just Linux. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_KEXEC, run the following command: grep CONFIG_KEXEC /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-89570-6 Disable legacy (BSD) PTY support Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern ptys (devpts) interface. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_PTYS, run the following command: grep CONFIG_LEGACY_PTYS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-89233-1 Disable vsyscall emulation The kernel traps and emulates calls into the fixed vsyscall address mapping. This configuration is available from kernel 5.3, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_EMULATE, run the following command: grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87478-4 Disable vsyscall mapping This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspace programs can be identified. This configuration is available from kernel 4.4. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_NONE, run the following command: grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87630-0 Disable vsyscall emulate execution only The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5.3. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_XONLY, run the following command: grep CONFIG_LEGACY_VSYSCALL_XONLY /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-86522-0 Disable the LDT (local descriptor table) Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some Wine programs. It is also used by some very old threading libraries. This configuration is available from kernel 4.3, but may be available if backported by distros. Disable LDT if 16-bit program emulation is not necessary. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODIFY_LDT_SYSCALL, run the following command: grep CONFIG_MODIFY_LDT_SYSCALL /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-86836-4 Enable module signature verification Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG, run the following command: grep CONFIG_MODULE_SIG /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-86520-4 Enable automatic signing of all modules Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_ALL, run the following command: grep CONFIG_MODULE_SIG_ALL /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89203-4 Require modules to be validly signed Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_FORCE, run the following command: grep CONFIG_MODULE_SIG_FORCE /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87400-8 Specify the hash to use when signing modules This configures the kernel to build and sign modules using as the hash function. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_HASH, run the following command: grep CONFIG_MODULE_SIG_HASH /boot/config-* For each kernel installed, a line with value "" should be returned.
CCE-90444-1 Specify module signing key to use Setting this option to something other than its default of certs/signing_key.pem will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of your choosing. The string provided should identify a file containing both a private key and its corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should reference both a certificate and a private key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_KEY, run the following command: grep CONFIG_MODULE_SIG_KEY /boot/config-* For each kernel installed, a line with value "" should be returned.
CCE-87565-8 Sign kernel modules with SHA-512 This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_SHA512, run the following command: grep CONFIG_MODULE_SIG_SHA512 /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87544-3 Enable poison of pages after freeing Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot option. This configuration is available from kernel 4.6. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING, run the following command: grep CONFIG_PAGE_POISONING /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87844-7 Enable poison without sanity check Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This configuration is available from kernel 4.6. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING_NO_SANITY, run the following command: grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90278-3 Use zero for poisoning instead of debugging value Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longer necessary to write zeros when GFP_ZERO is used on allocation. This configuration is available from kernel 4.19. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING_ZERO, run the following command: grep CONFIG_PAGE_POISONING_ZERO /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88464-3 Remove the kernel mapping in user mode This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This configuration is available from kernel 4.15, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_TABLE_ISOLATION, run the following command: grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89985-6 Kernel panic oops Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PANIC_ON_OOPS, run the following command: grep CONFIG_PANIC_ON_OOPS /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-86964-4 Kernel panic timeout Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeout value greater than 0, the system will wait the specified amount of seconds before rebooting. While a timeout value less than 0 makes the system reboot immediately. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PANIC_TIMEOUT, run the following command: grep CONFIG_PANIC_TIMEOUT /boot/config-* For each kernel installed, a line with value "" should be returned.
CCE-88511-1 Disable support for /proc/kkcore Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PROC_KCORE, run the following command: grep CONFIG_PROC_KCORE /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87989-0 Randomize the address of the kernel image (KASLR) In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RANDOMIZE_BASE, run the following command: grep CONFIG_RANDOMIZE_BASE /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88383-5 Randomize the kernel memory sections Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available from kernel 4.8, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RANDOMIZE_MEMORY, run the following command: grep CONFIG_RANDOMIZE_MEMORY /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88998-0 Perform full reference count validation Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_REFCOUNT_FULL, run the following command: grep CONFIG_REFCOUNT_FULL /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89562-3 Avoid speculative indirect branches in kernel Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern support for full protection. The kernel may run slower. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RETPOLINE, run the following command: grep CONFIG_RETPOLINE /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-86229-2 Detect stack corruption on calls to schedule() This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of the corrupted region can no longer be trusted. This configuration is available from kernel 3.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SCHED_STACK_END_CHECK, run the following command: grep CONFIG_SCHED_STACK_END_CHECK /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87403-2 Enable seccomp to safely compute untrusted bytecode This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process as file descriptors supporting the read/write syscalls, it's possible to isolate those applications in their own address space using seccomp. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP, run the following command: grep CONFIG_SECCOMP /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89407-1 Enable use of Berkeley Packet Filter with seccomp Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP_FILTER, run the following command: grep CONFIG_SECCOMP_FILTER /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87679-7 Enable different security models This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY, run the following command: grep CONFIG_SECURITY /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89137-4 Restrict unprivileged access to the kernel syslog Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_DMESG_RESTRICT, run the following command: grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89825-4 Disable mutable hooks Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_WRITABLE_HOOKS, run the following command: grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87793-6 Enable Yama support This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use of the system call ptrace(). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_YAMA, run the following command: grep CONFIG_SECURITY_YAMA /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90147-0 Harden slab freelist metadata This feature protects integrity of the allocator's metadata. This configuration is available from kernel 4.14. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_FREELIST_HARDENED, run the following command: grep CONFIG_SLAB_FREELIST_HARDENED /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87141-8 Randomize slab freelist Randomizes the freelist order used on creating new pages. This configuration is available from kernel 5.9, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_FREELIST_RANDOM, run the following command: grep CONFIG_SLAB_FREELIST_RANDOM /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88834-7 Disallow merge of slab caches For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. This carries a risk of kernel heap overflows being able to overwrite objects from merged caches (and more easily control cache layout), which makes such heap attacks easier to exploit by attackers. This configuration is available from kernel 4.13. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_MERGE_DEFAULT, run the following command: grep CONFIG_SLAB_MERGE_DEFAULT /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87071-7 Enable SLUB debugging support SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLUB_DEBUG, run the following command: grep CONFIG_SLUB_DEBUG /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88537-6 Stack Protector buffer overlow detection This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. This configuration is available from kernel 4.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR, run the following command: grep CONFIG_STACKPROTECTOR /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89676-1 Strong Stack Protector This features adds canary logic protection to more kinds of vulnerable functions than CONFIG_STACKPROTECTOR, but not to all functions so that performance is not severily impacted. This configuration is available from kernel 4.18. This config requires gcc version 4.9 or above, or a distribution gcc with the feature backported ("-fstack-protector-strong"). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR_STRONG, run the following command: grep CONFIG_STACKPROTECTOR_STRONG /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87949-4 Make the kernel text and rodata read-only When set, kernel text and rodata memory will be made read-only, and non-text memory will be made non-executable. This configuration is available from kernel 4.11. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STRICT_KERNEL_RWX, run the following command: grep CONFIG_STRICT_KERNEL_RWX /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89410-5 Make the module text and rodata read-only When set, module text and rodata memory will be made read-only, and non-text memory will be made non-executable. This configuration is available from kernel 4.11. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STRICT_MODULE_RWX, run the following command: grep CONFIG_STRICT_MODULE_RWX /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89322-2 Enable TCP/IP syncookie support Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoing attack. When enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies to enable legitimate users to continue to connect, even when your machine is under attack. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SYN_COOKIES, run the following command: grep CONFIG_SYN_COOKIES /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90608-1 Unmap kernel when running in userspace (aka KAISER) Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when running in userspace, mapping it back in on exception entry via a trampoline page in the vector table. This configuration is available from kernel 4.16, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_UNMAP_KERNEL_AT_EL0, run the following command: grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90287-4 User a virtually-mapped stack Enable this to use virtually-mapped kernel stacks with guard pages. This configuration is available from kernel 4.9. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_VMAP_STACK, run the following command: grep CONFIG_VMAP_STACK /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-88133-4 Disable x86 vsyscall emulation Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending programs will just segfault, citing addresses of the form 0xffffffffff600?00. This configuration is available from kernel 3.19. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_X86_VSYSCALL_EMULATION, run the following command: grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.
CCE-87680-5 Generate some entropy during boot and runtime Instrument some kernel code to extract some entropy from both original and artificially created program state. This will help especially embedded systems where there is little 'natural' source of entropy normally. This configuration is available from kernel 4.9, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_LATENT_ENTROPY, run the following command: grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89190-3 Randomize layout of sensitive kernel structures Randomize at compile-time the layouts of structures that are entirely function pointers (and have not been manually annotated with __no_randomize_layout), or structures that have been explicitly marked with __randomize_layout. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_RANDSTRUCT, run the following command: grep CONFIG_GCC_PLUGIN_RANDSTRUCT /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-87622-7 Poison kernel stack before returning from syscalls This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving the stack initialized to the poison value, which both reduces the lifetime of any sensitive stack contents and reduces potential for uninitialized stack variable exploits or information exposures (it does not cover functions reaching the same stack depth as prior functions during the same syscall). This configuration is available from kernel 4.20, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STACKLEAK, run the following command: grep CONFIG_GCC_PLUGIN_STACKLEAK /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90661-0 Force initialization of variables containing userspace addresses While the kernel is built with warnings enabled for any missed stack variable initializations, this warning is silenced for anything passed by reference to another function, under the occasionally misguided assumption that the function will do the initialization. As this regularly leads to exploitable flaws, this plugin is available to identify and zero-initialize such variables, depending on the chosen level of coverage. This configuration is available from kernel 4.11, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STRUCTLEAK, run the following command: grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-90006-8 zero-init everything passed by reference Zero-initialize any stack variables that may be passed by reference and had not already been explicitly initialized. This configuration is available from kernel 4.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, run the following command: grep CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL /boot/config-* For each kernel installed, a line with value "y" should be returned.
CCE-89106-9 Ensure rsyslog-gnutls is installed TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command: 
$ sudo dnf install rsyslog-gnutls
CCE-90353-4 Ensure rsyslog is Installed Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo dnf install rsyslog
CCE-90584-4 Enable rsyslog Service The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 10. The rsyslog service can be enabled with the following command: 
$ sudo systemctl enable rsyslog.service
CCE-90383-1 Ensure cron Is Logging To Rsyslog Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: If the legacy syntax is used: 
cron.*                                                  /var/log/cron
If the modern syntax (RainerScript) is used: 
cron.* action(type="omfile" file="/var/log/cron")
CCE-88521-0 Ensure Rsyslog Authenticates Off-Loaded Audit Records Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs the remote system must be authenticated. Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax): 
$ActionSendStreamDriverAuthMode x509/name
Alternatively, use the RainerScript syntax: 
action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")
CCE-88359-5 Ensure Rsyslog Encrypts Off-Loaded Audit Records Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off a encrpytion system must be used. Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax): 
$ActionSendStreamDriverMode 1
Alternatively, use the RainerScript syntax: 
action(type="omfwd" ... StreamDriverMode="1")
CCE-89018-6 Ensure Rsyslog Encrypts Off-Loaded Audit Records Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off an encryption system must be used. Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax): 
$DefaultNetstreamDriver gtls
Alternatively, use the RainerScript syntax: 
global(DefaultNetstreamDriver="gtls")
CCE-90074-6 Ensure Log Files Are Owned By Appropriate Group The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chgrp root LOGFILE
CCE-88780-2 Ensure Log Files Are Owned By Appropriate User The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chown root LOGFILE
CCE-89058-2 Ensure System Log Files Have Correct Permissions The file permissions for all log files written by rsyslog should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: 
$ ls -l LOGFILE
If the permissions are not 640 or more restrictive, run the following command to correct this: 
$ sudo chmod 640 LOGFILE
"
CCE-87341-4 Ensure remote access methods are monitored in Rsyslog Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote access method is the use of the Remote Desktop Protocol (RDP) from an external, non-organization controlled network. The /etc/rsyslog.conf or /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration: auth.*;authpriv.* /var/log/secure daemon.* /var/log/messages
CCE-89465-9 Install systemd-journal-remote Package Journald (via systemd-journal-remote ) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.
CCE-89396-6 Enable systemd-journald Service The systemd-journald service is an essential component of systemd. The systemd-journald service can be enabled with the following command: 
$ sudo systemctl enable systemd-journald.service
CCE-87639-1 Ensure journald is configured to compress large log files The journald system can compress large log files to avoid fill the system disk.
CCE-90077-9 Ensure journald is configured to write log files to persistent disk The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.
CCE-87754-8 Disable systemd-journal-remote Socket Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.
CCE-88423-9 Ensure logrotate is Installed logrotate is installed by default. The logrotate package can be installed with the following command: 
 $ sudo dnf install logrotate
CCE-88779-4 Ensure Logrotate Runs Periodically The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task or a timer. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: 
# rotate log files frequency
daily
CCE-87463-6 Enable logrotate Timer The logrotate timer can be enabled with the following command: 
$ sudo systemctl enable logrotate.timer
CCE-89374-3 Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are not found in rsyslog configuration files. If using legacy syntax: 
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
If using RainerScript syntax: 
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")
CCE-90372-4 Ensure Logs Sent To Remote Host To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: 
*.* @

To use TCP for log message delivery: 
*.* @@

To use RELP for log message delivery: 
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
CCE-86592-3 Configure TLS for rsyslog remote logging Configure rsyslog to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in /etc/rsyslog.conf using action. You can use the following command: 
echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514"
    StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf
Replace the <remote system> in the above command with an IP address or a host name of the remote logging server.
CCE-88456-9 Configure CA certificate for rsyslog remote logging Configure CA certificate for rsyslog logging to remote server using Transport Layer Security (TLS) using correct path for the DefaultNetstreamDriverCAFile global option in /etc/rsyslog.conf, for example with the following command: 
echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf
Replace the /etc/pki/tls/cert.pem in the above command with the path to the file with CA certificate generated for the purpose of remote logging.
CCE-88312-4 Configure Multiple DNS Servers in /etc/resolv.conf Determine whether the system is using local or DNS name resolution with the following command: 
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: 
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following:
Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example: 
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
CCE-87391-9 Prevent non-Privileged Users from Modifying Network Interfaces using nmcli By default, non-privileged users are given permissions to modify networking interfaces and configurations using the nmcli command. Non-privileged users should not be making configuration changes to network configurations. To ensure that non-privileged users do not have permissions to make changes to the network configuration using nmcli, create the following configuration in /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla: 
[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin
CCE-88985-7 Ensure System is Not Acting as a Network Sniffer The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: 
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command: 
$ sudo ip link set dev device_name multicast off promisc off
CCE-88164-9 Install firewalld Package The firewalld package can be installed with the following command: 
$ sudo dnf install firewalld
CCE-88110-2 Verify firewalld Enabled The firewalld service can be enabled with the following command: 
$ sudo systemctl enable firewalld.service
CCE-87091-5 Configure the Firewalld Ports Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: 
firewall-cmd --permanent --add-port=port_number/tcp
To configure firewalld to allow access for pre-defined services, run the following command: 
firewall-cmd --permanent --add-service=service_name
CCE-89418-8 Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems Red Hat Enterprise Linux 10 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
CCE-89320-6 Configure Firewalld to Restrict Loopback Traffic Configure firewalld to restrict loopback traffic to the lo interface. The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure. To configure firewalld to restrict loopback traffic to the lo interface, run the following commands: 
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
To ensure firewalld settings are applied in runtime, run the following command: 
firewall-cmd --reload
CCE-90267-6 Configure Firewalld to Trust Loopback Traffic Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system. To configure firewalld to trust loopback traffic, run the following command: 
sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld settings are applied in runtime, run the following command: 
firewall-cmd --reload
CCE-87823-1 Set Default firewalld Zone for Incoming Packets To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be: 
DefaultZone=drop
CCE-87497-4 Install libreswan Package The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command: 
$ sudo dnf install libreswan
CCE-88800-8 Verify Group Who Owns /etc/ipsec.d Directory To properly set the group owner of /etc/ipsec.d, run the command: 
$ sudo chgrp root /etc/ipsec.d
CCE-87636-7 Verify User Who Owns /etc/ipsec.d Directory To properly set the owner of /etc/ipsec.d, run the command: 
$ sudo chown root /etc/ipsec.d
CCE-88730-7 Verify Permissions On /etc/ipsec.d Directory To properly set the permissions of /etc/ipsec.d, run the command: 
$ sudo chmod 0700 /etc/ipsec.d
CCE-86941-2 Verify Group Who Owns /etc/ipsec.conf File To properly set the group owner of /etc/ipsec.conf, run the command: 
$ sudo chgrp root /etc/ipsec.conf
CCE-89956-7 Verify Group Who Owns /etc/ipsec.secrets File To properly set the group owner of /etc/ipsec.secrets, run the command: 
$ sudo chgrp root /etc/ipsec.secrets
CCE-87602-9 Verify User Who Owns /etc/ipsec.conf File To properly set the owner of /etc/ipsec.conf, run the command: 
$ sudo chown root /etc/ipsec.conf
CCE-89330-5 Verify User Who Owns /etc/ipsec.secrets File To properly set the owner of /etc/ipsec.secrets, run the command: 
$ sudo chown root /etc/ipsec.secrets
CCE-86443-9 Verify Permissions On /etc/ipsec.conf File To properly set the permissions of /etc/ipsec.conf, run the command: 
$ sudo chmod 0644 /etc/ipsec.conf
CCE-89450-1 Verify Permissions On /etc/ipsec.secrets File To properly set the permissions of /etc/ipsec.secrets, run the command: 
$ sudo chmod 0644 /etc/ipsec.secrets
CCE-87382-8 Verify Any Configured IPSec Tunnel Connections Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection.
CCE-86460-3 Verify Group Who Owns /etc/iptables Directory To properly set the group owner of /etc/iptables, run the command: 
$ sudo chgrp root /etc/iptables
CCE-89981-5 Verify User Who Owns /etc/iptables Directory To properly set the owner of /etc/iptables, run the command: 
$ sudo chown root /etc/iptables
CCE-86577-4 Verify Permissions On /etc/iptables Directory To properly set the permissions of /etc/iptables, run the command: 
$ sudo chmod 0700 /etc/iptables
CCE-87216-8 Manually Assign Global IPv6 Address To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface . Add or correct the following line (substituting the correct IPv6 address): 
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849.
CCE-88665-5 Configure Accepting Router Advertisements on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
CCE-90653-7 Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra_defrtr = 0
CCE-88717-4 Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra_pinfo = 0
CCE-90302-1 Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra_rtr_pref = 0
CCE-90083-7 Disable Accepting ICMP Redirects for All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
CCE-90450-8 Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_source_route = 0
CCE-88386-8 Configure Auto Configuration on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.autoconf=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.autoconf = 0
CCE-86882-8 Disable Kernel Parameter for IPv6 Forwarding To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
CCE-88552-5 Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.max_addresses = 1
CCE-89461-8 Configure Denying Router Solicitations on All IPv6 Interfaces To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.router_solicitations = 0
CCE-90557-0 Disable Accepting Router Advertisements on all IPv6 Interfaces by Default To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
CCE-88613-5 Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra_defrtr = 0
CCE-88012-0 Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra_pinfo = 0
CCE-90749-3 Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra_rtr_pref = 0
CCE-89486-5 Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
CCE-89135-8 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
CCE-86607-9 Configure Auto Configuration on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.autoconf=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.autoconf = 0
CCE-89273-7 Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.max_addresses = 1
CCE-89658-9 Configure Denying Router Solicitations on All IPv6 Interfaces By Default To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.router_solicitations = 0
CCE-86895-0 Disable Accepting Packets Routed Between Local Interfaces To set the runtime status of the net.ipv4.conf.all.accept_local kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_local=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_local = 0
CCE-90409-4 Disable Accepting ICMP Redirects for All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
CCE-90165-2 Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
CCE-89431-1 Configure ARP filtering for All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.arp_filter=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.arp_filter =
CCE-87433-9 Configure Response Mode of ARP Requests for All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.arp_ignore =
CCE-89975-7 Drop Gratuitious ARP frames on All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.drop_gratuitous_arp = 1
CCE-87420-6 Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
CCE-89499-8 Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.log_martians = 1
CCE-87566-6 Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.route_localnet = 0
CCE-88689-5 Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
CCE-87848-8 Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.secure_redirects = 0
CCE-87897-5 Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.shared_media=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.shared_media =
CCE-86820-8 Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
CCE-88071-6 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
CCE-87672-2 Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.log_martians = 1
CCE-87424-8 Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.rp_filter = 1
CCE-87878-5 Configure Kernel Parameter for Accepting Secure Redirects By Default To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.secure_redirects = 0
CCE-89010-3 Configure Sending and Accepting Shared Media Redirects by Default To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.shared_media=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.shared_media =
CCE-86918-0 Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
CCE-87841-3 Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_ignore_bogus_error_responses = 1
CCE-90347-6 Set Kernel Parameter to Increase Local Port Range To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.ip_local_port_range = 32768 65535
CCE-86242-5 Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments Make sure that the system is configured to limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid due to any of these reasons: (a) out-of-window sequence number, (b) out-of-window acknowledgment number, or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure This measure protects against or limits effects of DoS attacks against the system. Set the system to implement rate-limiting measures by adding the following line to /etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): 
net.ipv4.tcp_invalid_ratelimit =
Issue the following command to make the changes take effect: 
# sysctl --system
CCE-86164-1 Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.tcp_rfc1337=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.tcp_rfc1337 = 1
CCE-88084-9 Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.tcp_syncookies = 1
CCE-88360-3 Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
CCE-89177-0 Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
CCE-87377-8 Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.ip_forward = 0
CCE-87358-8 Install nftables Package nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. The nftables package can be installed with the following command: 
$ sudo dnf install nftables
CCE-88523-6 Verify nftables Service is Disabled nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The nftables service can be disabled with the following command: 
systemctl disable nftables
CCE-87879-3 Verify Group Who Owns /etc/nftables Directory To properly set the group owner of /etc/nftables, run the command: 
$ sudo chgrp root /etc/nftables
CCE-88672-1 Verify User Who Owns /etc/nftables Directory To properly set the owner of /etc/nftables, run the command: 
$ sudo chown root /etc/nftables
CCE-88802-4 Verify Permissions On /etc/nftables Directory To properly set the permissions of /etc/nftables, run the command: 
$ sudo chmod 0700 /etc/nftables
CCE-89282-8 Disable CAN Support The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: 
install can /bin/false
CCE-89435-2 Disable DCCP Support The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf: 
install dccp /bin/false
CCE-89280-2 Disable RDS Support The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf: 
install rds /bin/false
CCE-90489-6 Disable SCTP Support The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: 
install sctp /bin/false
CCE-86569-1 Disable TIPC Support The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: 
install tipc /bin/false
CCE-90381-5 Disable Bluetooth Service The bluetooth service can be disabled with the following command: 
$ sudo systemctl mask --now bluetooth.service
$ sudo service bluetooth stop
CCE-87455-2 Disable Bluetooth Kernel Module The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: 
install bluetooth /bin/true
CCE-88576-4 Deactivate Wireless Network Interfaces Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command: 
$ sudo nmcli radio all off
CCE-90712-1 NetworkManager DNS Mode Must Be Must Configured The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.
CCE-89514-4 Ensure All World-Writable Directories Are Owned by root User All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.
CCE-88397-5 Verify that All World-Writable Directories Have Sticky Bits Set When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: 
$ sudo chmod +t DIR
CCE-89520-1 Verify that system commands directories have root as a group owner System commands are stored in the following directories: by default: 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should have root user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command: 
$ sudo chgrp root DIR
CCE-88203-5 Verify that system commands directories have root ownership System commands are stored in the following directories by default: 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should be owned by the root user. If any system command directory is not owned by a user other than root correct its ownership with the following command: 
$ sudo chown root DIR
CCE-88558-2 Verify Group Who Owns /etc/crypttab File To properly set the group owner of /etc/crypttab, run the command: 
$ sudo chgrp root /etc/crypttab
CCE-90164-5 Verify Group Who Owns System.map Files The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files must be group-owned by root. To properly set the group owner of /boot/System.map*, run the command: 
$ sudo chgrp root /boot/System.map*
CCE-89519-3 Verify User Who Owns /etc/crypttab File To properly set the owner of /etc/crypttab, run the command: 
$ sudo chown root /etc/crypttab
CCE-89808-0 Verify User Who Owns System.map Files The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files must be owned by root. To properly set the owner of /boot/System.map*, run the command: 
$ sudo chown root /boot/System.map*
CCE-89306-5 Verify Permissions on /etc/audit/auditd.conf To properly set the permissions of /etc/audit/auditd.conf, run the command: 
$ sudo chmod 0640 /etc/audit/auditd.conf
CCE-89313-1 Verify Permissions on /etc/audit/rules.d/*.rules To properly set the permissions of /etc/audit/rules.d/*.rules, run the command: 
$ sudo chmod 0640 /etc/audit/rules.d/*.rules
CCE-88726-5 Verify Permissions On /etc/crypttab File To properly set the permissions of /etc/crypttab, run the command: 
$ sudo chmod 0600 /etc/crypttab
CCE-86786-1 Verify Permissions on System.map Files The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. In general, there is no need for non-root users to read these files. To properly set the permissions of /boot/System.map*, run the command: 
$ sudo chmod 0600 /boot/System.map*
CCE-90184-3 Ensure All SGID Executables Are Authorized The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review.
CCE-86999-0 Ensure All SUID Executables Are Authorized The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review.
CCE-87656-5 Ensure No World-Writable Files Exist It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs.
CCE-88305-8 Ensure All Files Are Owned by a Group If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. Locate the mount points related to local devices by the following command: 
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command: 
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
CCE-89680-3 Ensure All Files Are Owned by a User If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command: 
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command: 
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
CCE-87125-1 Enable Kernel Parameter to Enforce DAC on FIFOs To set the runtime status of the fs.protected_fifos kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_fifos=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_fifos = 2
CCE-86689-7 Enable Kernel Parameter to Enforce DAC on Hardlinks To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
CCE-90354-2 Enable Kernel Parameter to Enforce DAC on Regular files To set the runtime status of the fs.protected_regular kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_regular=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_regular = 2
CCE-88796-8 Enable Kernel Parameter to Enforce DAC on Symlinks To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
CCE-86980-0 Verify Permissions and Ownership of Old Passwords File To properly set the owner of /etc/security/opasswd, run the command: 
$ sudo chown root /etc/security/opasswd
To properly set the group owner of /etc/security/opasswd, run the command: 
$ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command: 
$ sudo chmod 0600 /etc/security/opasswd
CCE-89477-4 Verify Group Who Owns Backup group File To properly set the group owner of /etc/group-, run the command: 
$ sudo chgrp root /etc/group-
CCE-88453-6 Verify Group Who Owns Backup gshadow File To properly set the group owner of /etc/gshadow-, run the command: 
$ sudo chgrp root /etc/gshadow-
CCE-89914-6 Verify Group Who Owns Backup passwd File To properly set the group owner of /etc/passwd-, run the command: 
$ sudo chgrp root /etc/passwd-
CCE-88235-7 Verify User Who Owns Backup shadow File To properly set the group owner of /etc/shadow-, run the command: 
$ sudo chgrp root /etc/shadow-
CCE-90261-9 Verify Group Who Owns group File To properly set the group owner of /etc/group, run the command: 
$ sudo chgrp root /etc/group
CCE-90043-1 Verify Group Who Owns gshadow File To properly set the group owner of /etc/gshadow, run the command: 
$ sudo chgrp root /etc/gshadow
CCE-89210-9 Verify Group Who Owns passwd File To properly set the group owner of /etc/passwd, run the command: 
$ sudo chgrp root /etc/passwd
CCE-87579-9 Verify Group Who Owns shadow File To properly set the group owner of /etc/shadow, run the command: 
$ sudo chgrp root /etc/shadow
CCE-90020-9 Verify Group Who Owns /etc/shells File To properly set the group owner of /etc/shells, run the command: 
$ sudo chgrp root /etc/shells
CCE-89017-8 Verify User Who Owns Backup group File To properly set the owner of /etc/group-, run the command: 
$ sudo chown root /etc/group-
CCE-86957-8 Verify User Who Owns Backup gshadow File To properly set the owner of /etc/gshadow-, run the command: 
$ sudo chown root /etc/gshadow-
CCE-90377-3 Verify User Who Owns Backup passwd File To properly set the owner of /etc/passwd-, run the command: 
$ sudo chown root /etc/passwd-
CCE-87502-1 Verify Group Who Owns Backup shadow File To properly set the owner of /etc/shadow-, run the command: 
$ sudo chown root /etc/shadow-
CCE-86870-3 Verify User Who Owns group File To properly set the owner of /etc/group, run the command: 
$ sudo chown root /etc/group
CCE-87701-9 Verify User Who Owns gshadow File To properly set the owner of /etc/gshadow, run the command: 
$ sudo chown root /etc/gshadow
CCE-87827-2 Verify User Who Owns passwd File To properly set the owner of /etc/passwd, run the command: 
$ sudo chown root /etc/passwd
CCE-86857-0 Verify User Who Owns shadow File To properly set the owner of /etc/shadow, run the command: 
$ sudo chown root /etc/shadow
CCE-89594-6 Verify Who Owns /etc/shells File To properly set the owner of /etc/shells, run the command: 
$ sudo chown root /etc/shells
CCE-86579-0 Verify Permissions on Backup group File To properly set the permissions of /etc/group-, run the command: 
$ sudo chmod 0644 /etc/group-
CCE-89056-6 Verify Permissions on Backup gshadow File To properly set the permissions of /etc/gshadow-, run the command: 
$ sudo chmod 0000 /etc/gshadow-
CCE-86854-7 Verify Permissions on Backup passwd File To properly set the permissions of /etc/passwd-, run the command: 
$ sudo chmod 0644 /etc/passwd-
CCE-87423-0 Verify Permissions on Backup shadow File To properly set the permissions of /etc/shadow-, run the command: 
$ sudo chmod 0000 /etc/shadow-
CCE-88868-5 Verify Permissions on group File To properly set the permissions of /etc/group, run the command: 
$ sudo chmod 0644 /etc/group
CCE-86975-0 Verify Permissions on gshadow File To properly set the permissions of /etc/gshadow, run the command: 
$ sudo chmod 0000 /etc/gshadow
CCE-90644-6 Verify Permissions on passwd File To properly set the permissions of /etc/passwd, run the command: 
$ sudo chmod 0644 /etc/passwd
CCE-88433-8 Verify Permissions on shadow File To properly set the permissions of /etc/shadow, run the command: 
$ sudo chmod 0000 /etc/shadow
CCE-89912-0 Verify Permissions on /etc/shells File To properly set the permissions of /etc/shells, run the command: 
$ sudo chmod 0644 /etc/shells
CCE-89035-0 Verify Group Who Owns /var/log Directory To properly set the group owner of /var/log, run the command: 
$ sudo chgrp root /var/log
CCE-86924-8 Verify Group Who Owns /var/log/messages File To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
CCE-86705-1 Verify User Who Owns /var/log Directory To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
CCE-89093-9 Verify User Who Owns /var/log/messages File To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
CCE-89801-5 Verify Permissions on /var/log Directory To properly set the permissions of /var/log, run the command: 
$ sudo chmod 0755 /var/log
CCE-89397-4 Verify Permissions on /var/log/messages File To properly set the permissions of /var/log/messages, run the command: 
$ sudo chmod 0640 /var/log/messages
CCE-88290-2 Verify that Shared Library Directories Have Root Group Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chgrp root DIR
CCE-89745-4 Verify that Shared Library Directories Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root DIR
CCE-87731-6 Verify that Shared Library Directories Have Restrictive Permissions System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w DIR
CCE-90122-3 Verify Group Who Owns /etc/sysctl.d Directory To properly set the group owner of /etc/sysctl.d, run the command: 
$ sudo chgrp root /etc/sysctl.d
CCE-87242-4 Verify User Who Owns /etc/sysctl.d Directory To properly set the owner of /etc/sysctl.d, run the command: 
$ sudo chown root /etc/sysctl.d
CCE-89782-7 Verify Permissions On /etc/sysctl.d Directory To properly set the permissions of /etc/sysctl.d, run the command: 
$ sudo chmod 0755 /etc/sysctl.d
CCE-87965-0 Verify that audit tools are owned by group root The Red Hat Enterprise Linux 10 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: 
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root
Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators
CCE-89800-7 Verify that system commands files are group owned by root or a system account System commands files are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: 
$ sudo chgrp root FILE
CCE-89400-6 Verify that audit tools are owned by root The Red Hat Enterprise Linux 10 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: 
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root
Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators
CCE-89620-9 Verify that System Executables Have Root Ownership System executables are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: 
$ sudo chown root FILE
CCE-87988-2 Verify that Shared Library Files Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root FILE
CCE-86166-6 Verify that audit tools Have Mode 0755 or less The Red Hat Enterprise Linux 10 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command: 
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/audispd 755
/sbin/augenrules 755
Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators
CCE-86978-4 Verify that System Executables Have Restrictive Permissions System executables are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
CCE-88771-1 Verify that Shared Library Files Have Restrictive Permissions System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
CCE-86440-5 Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. System-wide library files are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command: 
$ sudo chgrp root FILE
CCE-88947-7 Disable the Automounter The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command: 
$ sudo systemctl mask --now autofs.service
CCE-88814-9 Disable Kernel Support for USB via Bootloader Configuration All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown: 
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
CCE-90005-0 Disable Mounting of cramfs To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: 
install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
CCE-87969-2 Disable Mounting of freevxfs To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf: 
install freevxfs /bin/false
This effectively prevents usage of this uncommon filesystem.
CCE-87336-4 Disable Mounting of hfs To configure the system to prevent the hfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf: 
install hfs /bin/false
This effectively prevents usage of this uncommon filesystem.
CCE-89918-7 Disable Mounting of hfsplus To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf: 
install hfsplus /bin/false
This effectively prevents usage of this uncommon filesystem.
CCE-88027-8 Disable Mounting of jffs2 To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf: 
install jffs2 /bin/false
This effectively prevents usage of this uncommon filesystem.
CCE-88216-7 Disable Mounting of squashfs To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf: 
install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.
CCE-87504-7 Disable Mounting of udf To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf: 
install udf /bin/false
This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.
CCE-89301-6 Disable Modprobe Loading of USB Storage Driver To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: 
install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
CCE-90132-2 Add nodev Option to /boot The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
CCE-90334-4 Add noexec Option to /boot The noexec mount option can be used to prevent binaries from being executed out of /boot. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
CCE-88881-8 Add nosuid Option to /boot The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
CCE-86783-8 Add nodev Option to /dev/shm The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
CCE-86775-4 Add noexec Option to /dev/shm The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
CCE-88358-7 Add nosuid Option to /dev/shm The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
CCE-87344-8 Add nodev Option to /home The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.
CCE-87810-8 Add noexec Option to /home The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home.
CCE-88987-3 Add nosuid Option to /home The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.
CCE-88981-6 Add nodev Option to Non-Root Local Partitions The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.
CCE-90154-6 Add nodev Option to Removable Media Partitions The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
CCE-90378-1 Add noexec Option to Removable Media Partitions The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
CCE-88078-1 Add nosuid Option to Removable Media Partitions The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
CCE-86868-7 Add nosuid Option to /opt The nosuid mount option can be used to prevent execution of setuid programs in /opt. The SUID and SGID permissions should not be required in this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /opt.
CCE-90162-9 Add nosuid Option to /srv The nosuid mount option can be used to prevent execution of setuid programs in /srv. The SUID and SGID permissions should not be required in this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /srv.
CCE-90522-4 Add nodev Option to /tmp The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
CCE-87095-6 Add noexec Option to /tmp The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
CCE-87318-2 Add nosuid Option to /tmp The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
CCE-87220-0 Add nodev Option to /var/log/audit The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
CCE-88957-6 Add noexec Option to /var/log/audit The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
CCE-90694-1 Add nosuid Option to /var/log/audit The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
CCE-89389-1 Add nodev Option to /var/log The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
CCE-89129-1 Add noexec Option to /var/log The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
CCE-90639-6 Add nosuid Option to /var/log The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
CCE-87070-9 Add nodev Option to /var The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.
CCE-90153-8 Add noexec Option to /var The noexec mount option can be used to prevent binaries from being executed out of /var. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var.
CCE-89496-4 Add nosuid Option to /var The nosuid mount option can be used to prevent execution of setuid programs in /var. The SUID and SGID permissions should not be required for this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var.
CCE-89441-0 Add nodev Option to /var/tmp The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
CCE-87347-1 Add noexec Option to /var/tmp The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
CCE-87892-6 Add nosuid Option to /var/tmp The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
CCE-86714-3 Disable storing core dumps To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
CCE-86218-5 Disable storing core dumps The kernel.core_pattern option specifies the core dumpfile pattern name. It can be set to an empty string. In this case, the kernel behaves differently based on another related option. If kernel.core_uses_pid is set to 1, then a file named as .PID (where PID is process ID of the crashed process) is created in the working directory. If kernel.core_uses_pid is set to 0, no coredump is saved. To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern =
CCE-88782-8 Configure file name of core dumps To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_uses_pid=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_uses_pid = 0
CCE-89000-4 Restrict Access to Kernel Message Buffer To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
CCE-89232-3 Disable Kernel Image Loading To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
CCE-87060-0 Disable loading and unloading of kernel modules To set the runtime status of the kernel.modules_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.modules_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.modules_disabled = 1
CCE-88293-6 Kernel panic on oops To set the runtime status of the kernel.panic_on_oops kernel parameter, run the following command: 
$ sudo sysctl -w kernel.panic_on_oops=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.panic_on_oops = 1
CCE-87824-9 Limit CPU consumption of the Perf system To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_cpu_time_max_percent = 1
CCE-88924-6 Limit sampling frequency of the Perf system To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_event_max_sample_rate=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_event_max_sample_rate = 1
CCE-90142-1 Disallow kernel profiling by unprivileged users To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_event_paranoid = 2
CCE-88134-2 Configure maximum number of process identifiers To set the runtime status of the kernel.pid_max kernel parameter, run the following command: 
$ sudo sysctl -w kernel.pid_max=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.pid_max = 65536
CCE-90232-0 Disallow magic SysRq key To set the runtime status of the kernel.sysrq kernel parameter, run the following command: 
$ sudo sysctl -w kernel.sysrq=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.sysrq = 0
CCE-89405-5 Disable Access to Network bpf() Syscall From Unprivileged Processes To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
CCE-88627-5 Disable Access to Network bpf() Syscall From Unprivileged Processes To prevent unprivileged processes from using the bpf() syscall the kernel.unprivileged_bpf_disabled kernel parameter must be set to 1 or 2. Writing 1 to this entry will disable unprivileged calls to bpf(); once disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. Once set to 1, this can't be cleared from the running kernel anymore. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
Writing 2 to this entry will also disable unprivileged calls to bpf(), however, an admin can still change this setting later on, if needed, by writing 0 or 1 to this entry. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 2
CCE-88785-1 Restrict usage of ptrace to descendant processes To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: 
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.yama.ptrace_scope = 1
CCE-89631-6 Harden the operation of the BPF just-in-time compiler To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
CCE-89527-6 Disable the use of user namespaces To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command: 
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.
CCE-87534-4 Prevent applications from mapping low portion of virtual memory To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: 
$ sudo sysctl -w vm.mmap_min_addr=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
vm.mmap_min_addr = 65536
CCE-90438-3 Disable acquiring, saving, and processing core dumps The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
CCE-88825-5 Disable core dump backtraces The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
CCE-88732-3 Disable storing core dump The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
CCE-88330-6 Disable Core Dumps for All Users To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory: 
*     hard   core    0
CCE-88399-1 Disable Core Dumps for SUID programs To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: 
$ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.suid_dumpable = 0
CCE-89079-8 Enable ExecShield via sysctl By default on Red Hat Enterprise Linux 10 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub.
CCE-88686-1 Restrict Exposed Kernel Pointer Addresses Access To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
CCE-87876-9 Enable Randomized Layout of Virtual Address Space To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
CCE-89763-7 Enable NX or XD Support in the BIOS Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.
CCE-89086-3 Enable page allocator poisoning To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. To ensure that page_poison=1 is added as a kernel command line argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
CCE-86675-6 Enable SLUB/SLAB allocator poisoning To enable poisoning of SLUB/SLAB objects, add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug= is added as a kernel command line argument to newly installed kernels, add slub_debug= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... slub_debug= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="
CCE-90410-2 Install libselinux Package The libselinux package can be installed with the following command: 
$ sudo dnf install libselinux
CCE-87004-8 Install policycoreutils-python-utils package The policycoreutils-python-utils package can be installed with the following command: 
$ sudo dnf install policycoreutils-python-utils
CCE-88996-4 Install policycoreutils Package The policycoreutils package can be installed with the following command: 
$ sudo dnf install policycoreutils
CCE-88183-9 Uninstall mcstrans Package The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. The mcstrans package can be removed with the following command: 
$ sudo dnf remove mcstrans
CCE-89365-1 Uninstall setroubleshoot-plugins Package The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot-plugins package can be removed with the following command: 
$ sudo dnf remove setroubleshoot-plugins
CCE-89569-8 Uninstall setroubleshoot-server Package The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot-server package can be removed with the following command: 
$ sudo dnf remove setroubleshoot-server
CCE-89902-1 Uninstall setroubleshoot Package The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot package can be removed with the following command: 
$ sudo dnf remove setroubleshoot
CCE-87637-5 Verify Group Who Owns /etc/selinux Directory To properly set the group owner of /etc/selinux, run the command: 
$ sudo chgrp root /etc/selinux
CCE-89309-9 Verify User Who Owns /etc/selinux Directory To properly set the owner of /etc/selinux, run the command: 
$ sudo chown root /etc/selinux
CCE-87997-3 Verify Permissions On /etc/selinux Directory To properly set the permissions of /etc/selinux, run the command: 
$ sudo chmod 0755 /etc/selinux
CCE-89741-3 Verify Group Who Owns /etc/sestatus.conf File To properly set the group owner of /etc/sestatus.conf, run the command: 
$ sudo chgrp root /etc/sestatus.conf
CCE-86503-0 Verify User Who Owns /etc/sestatus.conf File To properly set the owner of /etc/sestatus.conf, run the command: 
$ sudo chown root /etc/sestatus.conf
CCE-90692-5 Verify Permissions On /etc/sestatus.conf File To properly set the permissions of /etc/sestatus.conf, run the command: 
$ sudo chmod 0644 /etc/sestatus.conf
CCE-88989-9 Ensure SELinux Not Disabled in /etc/default/grub SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.
CCE-90192-6 Ensure No Device Files are Unlabeled by SELinux Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t or unlabeled_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for incorrectly labeled device files, run following commands: 
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
CCE-88979-0 Ensure No Daemons are Unconfined by SELinux Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the unconfined_service_t context.

To check for unconfined daemons, run the following command: 
$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system.
CCE-90205-6 Ensure SELinux is Not Disabled The SELinux state should be set to enforcing or permissive at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing or permissive mode: 
SELINUX=enforcing
OR 
SELINUX=permissive
CCE-88366-0 Configure SELinux Policy The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
CCE-89386-7 Ensure SELinux State is Enforcing The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: 
SELINUX=
CCE-89945-0 Enable the auditadm_exec_content SELinux Boolean By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command: 
$ sudo setsebool -P auditadm_exec_content on
CCE-90335-1 Disable the authlogin_nsswitch_use_ldap SELinux Boolean By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command: 
$ sudo setsebool -P authlogin_nsswitch_use_ldap off
CCE-90517-4 Disable the authlogin_radius SELinux Boolean By default, the SELinux boolean authlogin_radius is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_radius SELinux boolean, run the following command: 
$ sudo setsebool -P authlogin_radius off
CCE-87708-4 Configure the deny_execmem SELinux Boolean By default, the SELinux boolean deny_execmem is disabled. This setting should be configured to .
To set the deny_execmem SELinux boolean, run the following command: 
$ sudo setsebool -P deny_execmem
CCE-89262-0 Enable the kerberos_enabled SELinux Boolean By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command: 
$ sudo setsebool -P kerberos_enabled on
CCE-88652-3 Configure the polyinstantiation_enabled SELinux Boolean By default, the SELinux boolean polyinstantiation_enabled is disabled. This setting should be configured to .
To set the polyinstantiation_enabled SELinux boolean, run the following command: 
$ sudo setsebool -P polyinstantiation_enabled
CCE-90413-6 Disable the selinuxuser_execheap SELinux Boolean By default, the SELinux boolean selinuxuser_execheap is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command: 
$ sudo setsebool -P selinuxuser_execheap off
CCE-86922-2 Enable the selinuxuser_execmod SELinux Boolean By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command: 
$ sudo setsebool -P selinuxuser_execmod on
CCE-87842-1 Disable the selinuxuser_execstack SELinux Boolean By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command: 
$ sudo setsebool -P selinuxuser_execstack off
CCE-90429-2 Disable the ssh_sysadm_login SELinux Boolean By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the ssh_sysadm_login SELinux boolean, run the following command: 
$ sudo setsebool -P ssh_sysadm_login off
CCE-90062-1 Disable Avahi Server Software The avahi-daemon service can be disabled with the following command: 
$ sudo systemctl mask --now avahi-daemon.service
CCE-88407-2 Disable KDump Kernel Crash Analyzer (kdump) The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: 
$ sudo systemctl mask --now kdump.service
CCE-86619-4 Install the cron service The Cron service should be installed.
CCE-87885-0 Enable cron Service The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: 
$ sudo systemctl enable crond.service
CCE-90044-9 Enable cron Service The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: 
$ sudo systemctl enable crond.service
CCE-89321-4 Verify Group Who Owns cron.d To properly set the group owner of /etc/cron.d, run the command: 
$ sudo chgrp root /etc/cron.d
CCE-90342-7 Verify Group Who Owns cron.daily To properly set the group owner of /etc/cron.daily, run the command: 
$ sudo chgrp root /etc/cron.daily
CCE-88060-9 Verify Group Who Owns cron.deny To properly set the group owner of /etc/cron.deny, run the command: 
$ sudo chgrp root /etc/cron.deny
CCE-88140-9 Verify Group Who Owns cron.hourly To properly set the group owner of /etc/cron.hourly, run the command: 
$ sudo chgrp root /etc/cron.hourly
CCE-88986-5 Verify Group Who Owns cron.monthly To properly set the group owner of /etc/cron.monthly, run the command: 
$ sudo chgrp root /etc/cron.monthly
CCE-89080-6 Verify Group Who Owns cron.weekly To properly set the group owner of /etc/cron.weekly, run the command: 
$ sudo chgrp root /etc/cron.weekly
CCE-89062-4 Verify Group Who Owns Crontab To properly set the group owner of /etc/crontab, run the command: 
$ sudo chgrp root /etc/crontab
CCE-88741-4 Verify Owner on cron.d To properly set the owner of /etc/cron.d, run the command: 
$ sudo chown root /etc/cron.d
CCE-87499-0 Verify Owner on cron.daily To properly set the owner of /etc/cron.daily, run the command: 
$ sudo chown root /etc/cron.daily
CCE-86823-2 Verify Owner on cron.deny To properly set the owner of /etc/cron.deny, run the command: 
$ sudo chown root /etc/cron.deny
CCE-89705-8 Verify Owner on cron.hourly To properly set the owner of /etc/cron.hourly, run the command: 
$ sudo chown root /etc/cron.hourly
CCE-90753-5 Verify Owner on cron.monthly To properly set the owner of /etc/cron.monthly, run the command: 
$ sudo chown root /etc/cron.monthly
CCE-88943-6 Verify Owner on cron.weekly To properly set the owner of /etc/cron.weekly, run the command: 
$ sudo chown root /etc/cron.weekly
CCE-87294-5 Verify Owner on crontab To properly set the owner of /etc/crontab, run the command: 
$ sudo chown root /etc/crontab
CCE-86651-7 Verify Permissions on cron.d To properly set the permissions of /etc/cron.d, run the command: 
$ sudo chmod 0700 /etc/cron.d
CCE-88919-6 Verify Permissions on cron.daily To properly set the permissions of /etc/cron.daily, run the command: 
$ sudo chmod 0700 /etc/cron.daily
CCE-88664-8 Verify Permissions on cron.hourly To properly set the permissions of /etc/cron.hourly, run the command: 
$ sudo chmod 0700 /etc/cron.hourly
CCE-86632-7 Verify Permissions on cron.monthly To properly set the permissions of /etc/cron.monthly, run the command: 
$ sudo chmod 0700 /etc/cron.monthly
CCE-89733-0 Verify Permissions on cron.weekly To properly set the permissions of /etc/cron.weekly, run the command: 
$ sudo chmod 0700 /etc/cron.weekly
CCE-90078-7 Verify Permissions on crontab To properly set the permissions of /etc/crontab, run the command: 
$ sudo chmod 0600 /etc/crontab
CCE-89507-8 Ensure that /etc/at.deny does not exist The file /etc/at.deny should not exist. Use /etc/at.allow instead.
CCE-87235-8 Ensure that /etc/cron.allow exists The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.
CCE-88579-8 Ensure that /etc/cron.deny does not exist The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
CCE-90598-4 Verify Group Who Owns /etc/at.allow file If /etc/at.allow exists, it must be group-owned by root. To properly set the group owner of /etc/at.allow, run the command: 
$ sudo chgrp root /etc/at.allow
CCE-90094-4 Verify Group Who Owns /etc/cron.allow file If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command: 
$ sudo chgrp root /etc/cron.allow
CCE-88524-4 Verify User Who Owns /etc/at.allow file If /etc/at.allow exists, it must be owned by root. To properly set the owner of /etc/at.allow, run the command: 
$ sudo chown root /etc/at.allow
CCE-88914-7 Verify User Who Owns /etc/cron.allow file If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command: 
$ sudo chown root /etc/cron.allow
CCE-90283-3 Verify Permissions on /etc/at.allow file If /etc/at.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/at.allow, run the command: 
$ sudo chmod 0600 /etc/at.allow
CCE-89121-8 Verify Permissions on /etc/cron.allow file If /etc/cron.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/cron.allow, run the command: 
$ sudo chmod 0600 /etc/cron.allow
CCE-86596-4 Uninstall kea Package If the system does not need to act as a DHCP server, the kea package can be uninstalled.
CCE-86558-4 Uninstall dnsmasq Package dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services.
The dnsmasq package can be removed with the following command: 
$ sudo dnf remove dnsmasq
CCE-87806-6 Uninstall bind Package The named service is provided by the bind package. The bind package can be removed with the following command: 
$ sudo dnf remove bind
CCE-89813-0 Install fapolicyd Package The fapolicyd package can be installed with the following command: 
$ sudo dnf install fapolicyd
CCE-88147-4 Enable the File Access Policy Service The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command: 
$ sudo systemctl enable fapolicyd.service
CCE-86687-1 Remove ftp Package FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server).
The ftp package can be removed with the following command: 
$ sudo dnf remove ftp
CCE-88674-7 Uninstall vsftpd Package The vsftpd package can be removed with the following command: 
 $ sudo dnf remove vsftpd
CCE-89436-0 Uninstall httpd Package The httpd package can be removed with the following command: 
$ sudo dnf remove httpd
CCE-89648-0 Uninstall nginx Package The nginx package can be removed with the following command: 
$ sudo dnf remove nginx
CCE-90156-1 Uninstall cyrus-imapd Package The cyrus-imapd package can be removed with the following command: 
$ sudo dnf remove cyrus-imapd
CCE-86197-1 Uninstall dovecot Package The dovecot package can be removed with the following command: 
$ sudo dnf remove dovecot
CCE-90440-9 Disable Kerberos by removing host keytab Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
CCE-90641-2 Ensure LDAP client is not installed The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The openldap-clients package can be removed with the following command: 
$ sudo dnf remove openldap-clients
CCE-88294-4 Enable the LDAP Client For Use in Authconfig To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH to yes.
CCE-89346-1 The s-nail Package Is Installed A mail server is required for sending emails. The s-nail package can be installed with the following command: 
$ sudo dnf install s-nail
CCE-88412-2 Ensure Mail Transfer Agent is not Listening on any non-loopback Address Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.
CCE-87937-9 Configure System to Forward All Mail For The Root Account Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address is a valid email address reachable from the system in question. Use the following command to configure the alias: 
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
CCE-89448-5 Configure System to Forward All Mail From Postmaster to The Root Account Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". 
$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root
CCE-87280-4 Disable Postfix Network Listening Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: 
inet_interfaces =
CCE-87792-8 Prevent Unrestricted Mail Relaying Modify the 
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command: 
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
CCE-88270-4 Uninstall nfs-utils Package The nfs-utils package can be removed with the following command: 
$ sudo dnf remove nfs-utils
CCE-88459-3 Disable rpcbind Service The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The rpcbind service can be disabled with the following command: 
$ sudo systemctl mask --now rpcbind.service
CCE-88764-6 Disable Network File System (nfs) The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs-server service can be disabled with the following command: 
$ sudo systemctl mask --now nfs-server.service
CCE-87249-9 Mount Remote Filesystems with Kerberos Security Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
CCE-88013-8 Mount Remote Filesystems with nodev Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
CCE-86463-7 Mount Remote Filesystems with noexec Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
CCE-90504-2 Mount Remote Filesystems with nosuid Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
CCE-90391-4 Use Kerberos Security on All Exports Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports.
CCE-89591-2 The Chrony package is installed System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The chrony package can be installed with the following command: 
$ sudo dnf install chrony
CCE-90511-7 The Chronyd service is enabled chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: # systemctl enable chronyd.service This recommendation only applies if chrony is in use on the system.
CCE-89185-3 Enable the NTP Daemon Run the following command to determine the current status of the chronyd service: 
$ sudo systemctl is-active chronyd
If the service is running, it should return the following: 
active
Note: The chronyd daemon is enabled by default.

Run the following command to determine the current status of the ntpd service: 
$ sudo systemctl is-active ntpd
If the service is running, it should return the following: 
active
Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used.
CCE-86811-7 A remote time server for Chrony is configured Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate: 
server <remote-server>
Multiple servers may be configured.
CCE-86471-0 Configure Time Service to use NTS The system should be configured to use time servers that support Network Time Security (NTS). The specified time server must support NTS and must be configured to use NTS. To configure NTS for given time server add nts to each server or pool line in /etc/chrony.conf.
CCE-89002-0 Disable chrony daemon from acting as server The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
CCE-89285-1 Chrony Configure Pool and Server Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate: 
server <remote-server>
Multiple servers may be configured.
CCE-87066-7 Disable network management of chrony daemon The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
CCE-88549-1 Configure Time Service Maxpoll Interval The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) add the following after each server, pool or peer entry: 
maxpoll
to server directives. If using chrony, any pool directives should be configured too.
CCE-90499-5 Specify Additional Remote NTP Servers Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 10 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:
  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: 
server ntpserver
CCE-89296-8 Ensure that chronyd is running under chrony user account chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, remove any -u ... option from OPTIONS other than -u chrony, as chrony is run under its own user by default. This recommendation only applies if chrony is in use on the system.
CCE-88824-8 Ensure Chrony is only configured with the server directive Check that Chrony only has time sources configured with the server directive.
CCE-87112-9 Verify Group Who Owns /etc/chrony.keys File To properly set the group owner of /etc/chrony.keys, run the command: 
$ sudo chgrp chrony /etc/chrony.keys
CCE-88848-7 Verify User Who Owns /etc/chrony.keys File To properly set the owner of /etc/chrony.keys, run the command: 
$ sudo chown root /etc/chrony.keys
CCE-88155-7 Verify Permissions On /etc/chrony.keys File To properly set the permissions of /etc/chrony.keys, run the command: 
$ sudo chmod 0640 /etc/chrony.keys
CCE-88025-2 Uninstall rsync Package The rsyncd service can be used to synchronize files between systems over network links. The rsync-daemon package can be removed with the following command: 
$ sudo dnf remove rsync-daemon
CCE-88179-7 Ensure rsyncd service is disabled The rsyncd service can be disabled with the following command: 
$ sudo systemctl mask --now rsyncd.service
CCE-88760-4 Uninstall xinetd Package The xinetd package can be removed with the following command: 
$ sudo dnf remove xinetd
CCE-90241-1 Disable rexec Service The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. The rexec socket can be disabled with the following command: 
$ sudo systemctl mask --now rexec.socket
CCE-88103-7 Disable rlogin Service The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. The rlogin socket can be disabled with the following command: 
$ sudo systemctl mask --now rlogin.socket
CCE-90186-8 Disable rsh Service The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. The rsh socket can be disabled with the following command: 
$ sudo systemctl mask --now rsh.socket
CCE-89350-3 Remove Host-Based Authentication Files The shosts.equiv file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo rm /[path]/[to]/[file]/shosts.equiv
CCE-88529-3 Remove Rsh Trust Files The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: 
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
CCE-89341-2 Remove User Host-Based Authentication Files The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo find / -name '.shosts' -type f -delete
CCE-88105-2 Uninstall telnet-server Package The telnet-server package can be removed with the following command: 
$ sudo dnf remove telnet-server
CCE-90545-5 Remove telnet Clients The telnet client allows users to start connections to other systems via the telnet protocol.
CCE-89078-0 Disable telnet Service Make sure that the activation of the telnet service on system boot is disabled. The telnet socket can be disabled with the following command: 
$ sudo systemctl mask --now telnet.socket
CCE-89287-7 Uninstall tftp-server Package The tftp-server package can be removed with the following command: 
 $ sudo dnf remove tftp-server
CCE-88586-3 Remove tftp Daemon Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
CCE-86495-9 Ensure tftp systemd Service Uses Secure Mode If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service: 
$ sudo systemctl show tftp | grep ExecStart=
ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
and ensure the ExecStart line on that file includes the -s option with a subdirectory: 
ExecStart=/usr/sbin/in.tftpd -s
CCE-86174-0 Disable the CUPS Service The cups service can be disabled with the following command: 
$ sudo systemctl mask --now cups.service
CCE-87396-8 Uninstall squid Package The squid package can be removed with the following command: 
 $ sudo dnf remove squid
CCE-88847-9 Disable Squid The squid service can be disabled with the following command: 
$ sudo systemctl mask --now squid.service
CCE-89779-3 Uninstall Samba Package The samba package can be removed with the following command: 
 $ sudo dnf remove samba
CCE-89193-7 Uninstall net-snmp Package The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command: 
$ sudo dnf remove net-snmp
CCE-87815-7 Disable snmpd Service The snmpd service can be disabled with the following command: 
$ sudo systemctl mask --now snmpd.service
CCE-87264-8 Configure SNMP Service to Use Only SNMPv3 or Newer Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service: 
$ sudo systemctl restart snmpd
CCE-86852-1 Install OpenSSH client software The openssh-clients package can be installed with the following command: 
$ sudo dnf install openssh-clients
CCE-89241-4 Install the OpenSSH Server Package The openssh-server package should be installed. The openssh-server package can be installed with the following command: 
$ sudo dnf install openssh-server
CCE-88621-8 Enable the OpenSSH Service The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: 
$ sudo systemctl enable sshd.service
CCE-86992-5 Verify Group Who Owns SSH Server config file To properly set the group owner of /etc/ssh/sshd_config, run the command: 
$ sudo chgrp root /etc/ssh/sshd_config
CCE-90288-2 Verify Group Ownership on SSH Server Private *_key Key Files SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by root group.
CCE-90469-8 Verify Group Ownership on SSH Server Public *.pub Key Files SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
CCE-89829-6 Verify Owner on SSH Server config file To properly set the owner of /etc/ssh/sshd_config, run the command: 
$ sudo chown root /etc/ssh/sshd_config
CCE-90624-8 Verify Ownership on SSH Server Private *_key Key Files SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
CCE-87297-8 Verify Ownership on SSH Server Public *.pub Key Files SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
CCE-86264-9 Verify Permissions on SSH Server config file To properly set the permissions of /etc/ssh/sshd_config, run the command: 
$ sudo chmod 0600 /etc/ssh/sshd_config
CCE-88018-7 Verify Permissions on SSH Server Private *_key Key Files SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
CCE-87454-5 Verify Permissions on SSH Server Public *.pub Key Files To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
CCE-89510-2 Configure session renegotiation for SSH client The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.
CCE-89160-6 Verify the SSH Private Key Files Have a Passcode When creating SSH key pairs, always use a passcode.
You can create such keys with the following command: 
$ sudo ssh-keygen -n [passphrase]
Red Hat Enterprise Linux 10, for certificate-based authentication, must enforce authorized access to the corresponding private key.
CCE-88840-4 Set SSH Client Alive Count Max to zero The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. To ensure the SSH timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0 in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
CCE-86794-5 Set SSH Client Alive Count Max The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
CCE-90362-5 Set SSH Client Alive Interval SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
CCE-88057-5 Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
HostbasedAuthentication no
CCE-89799-1 Enable SSH Server firewalld Firewall Exception If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld settings, the SSH port should be added to the proper firewalld zone in order to allow SSH remote access.

To configure firewalld to allow ssh access, run the following command(s): 
firewall-cmd --permanent --add-service=ssh
Then run the following command to load the newly created rule(s): 
firewall-cmd --reload
CCE-90051-4 Disable Compression Or Set Compression to delayed Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: 
Compression
CCE-86753-1 Disable SSH Access via Empty Passwords Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
CCE-89145-7 Disable GSSAPI Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
GSSAPIAuthentication no
CCE-90591-9 Disable Kerberos Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
KerberosAuthentication no
CCE-87777-9 Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
IgnoreRhosts yes
CCE-89866-8 Disable SSH Support for Rhosts RSA Authentication SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
RhostsRSAAuthentication no
CCE-89730-6 Disable SSH Root Login The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
PermitRootLogin no
CCE-89027-7 Disable SSH TCP Forwarding The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted. To disable TCP forwarding, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
AllowTcpForwarding no
CCE-87313-3 Disable SSH Support for User Known Hosts SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
IgnoreUserKnownHosts yes
CCE-89476-6 Disable X11 Forwarding The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
X11Forwarding no
CCE-87395-0 Do Not Allow SSH Environment Options Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
PermitUserEnvironment no
CCE-87045-1 Enable PAM UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
UsePAM yes
CCE-90625-5 Enable Public Key Authentication Enable SSH login with public keys.
The default SSH configuration enables authentication based on public keys. The appropriate configuration is used if no value is set for PubkeyAuthentication.
To explicitly enable Public Key Authentication, add or correct the following /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
PubkeyAuthentication yes
CCE-88037-7 Enable Use of Strict Mode Checking SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
StrictModes yes
CCE-86539-4 Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
CCE-88799-2 Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue.net
Another section contains information on how to create an appropriate system-wide warning banner.
CCE-90003-5 Limit Users' SSH Access By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.
CCE-88362-9 Enable SSH Print Last Log Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
PrintLastLog yes
CCE-88356-1 Force frequent session key renegotiation The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.
To decrease the default limits, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
RekeyLimit
CCE-87290-3 Ensure SSH LoginGraceTime is configured The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate limits to ensure the service is available for needed access.
CCE-90121-5 Set LogLevel to INFO The INFO parameter specifices that record login and logout activity will be logged.
The default SSH configuration sets the log level to INFO. The appropriate configuration is used if no value is set for LogLevel.
To explicitly specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
LogLevel INFO
CCE-86241-7 Set SSH Daemon LogLevel to VERBOSE The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: 
LogLevel VERBOSE
CCE-90071-2 Set SSH authentication attempt limit The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: 
MaxAuthTries
CCE-89659-7 Set SSH MaxSessions limit The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit /etc/ssh/sshd_config as follows: 
MaxSessions
CCE-89624-1 Ensure SSH MaxStartups is configured The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should add or edit the following line in the /etc/ssh/sshd_config file: 
MaxStartups
CCE-87449-5 Distribute the SSH Server configuration to multiple files in a config directory. Make sure to have the Include /etc/ssh/sshd_config.d/*.conf line in the /etc/ssh/sshd_config file. Ideally, don't have any active configuration directives in that file, and distribute the service configuration to several files in the /etc/ssh/sshd_config.d directory.
CCE-88712-5 Enable Use of Privilege Separation When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
UsePrivilegeSeparation
CCE-87009-7 Use Only Strong Key Exchange algorithms Limit the Key Exchange to strong algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those: 
KexAlgorithms
CCE-86792-9 Use Only Strong MACs Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs: 
MACs
CCE-86528-7 Prevent remote hosts from connecting to the proxy display The SSH daemon should prevent remote hosts from connecting to the proxy display.
The default SSH configuration for X11UseLocalhost is yes, which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: X11UseLocalhost yes
CCE-88372-8 Install the SSSD Package The sssd package should be installed. The sssd package can be installed with the following command: 
$ sudo dnf install sssd
CCE-87447-9 Enable the SSSD Service The SSSD service should be enabled. The sssd service can be enabled with the following command: 
$ sudo systemctl enable sssd.service
CCE-86192-2 Certificate status checking in SSSD Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards. Configuring certificate_verification to ocsp_dgst= ensures that certificates for multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
CCE-90713-9 Enable Certmap in SSSD SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like certmap/testing.test/rule_name is setup in /etc/sssd/sssd.conf. For example 
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
CCE-90275-9 Enable Smartcards in SSSD SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to True under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
pam_cert_auth = True
CCE-87826-4 SSSD Has a Correct Trust Anchor SSSD must have acceptable trust anchor present.
CCE-90741-0 Configure SSSD to Expire Offline Credentials SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
offline_credentials_expiration = 1
CCE-87756-3 Install usbguard Package The usbguard package can be installed with the following command: 
$ sudo dnf install usbguard
CCE-87560-9 Enable the USBGuard Service The USBGuard service should be enabled. The usbguard service can be enabled with the following command: 
$ sudo systemctl enable usbguard.service
CCE-87152-5 Log USBGuard daemon audit events using Linux Audit To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.
CCE-88761-2 Authorize Human Interface Devices and USB hubs in USBGuard daemon To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line allow with-interface match-all { 03:*:* 09:00:* } to /etc/usbguard/rules.conf.
CCE-88632-5 Generate USBGuard Policy By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices.
CCE-89061-6 Remove the X Windows Package Group By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: 
$ sudo dnf groupremove "X Window System"
$ sudo dnf remove xorg-x11-server-common
CCE-88391-8 Disable graphical user interface By removing the following packages, the system no longer has X Windows installed. xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: 
sudo dnf remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
CCE-89266-1 Disable X Windows Startup By Setting Default Target Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run: 
$ systemctl set-default multi-user.target
You should see the following output: 
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
CCE-88547-5 Install audispd-plugins Package The audispd-plugins package can be installed with the following command: 
$ sudo dnf install audispd-plugins
CCE-90611-5 Ensure the audit-libs package as a part of audit Subsystem is Installed The audit-libs package should be installed.
CCE-88240-7 Ensure the audit Subsystem is Installed The audit package should be installed.
CCE-87955-1 Enable auditd Service The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
CCE-88376-9 Enable Auditing for Processes Which Start Prior to the Audit Daemon To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
CCE-88192-0 Extend Audit Backlog Limit for the Audit Daemon To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. To ensure that audit_backlog_limit=8192 is added as a kernel command line argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
CCE-89816-3 Make the auditd Configuration Immutable If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: 
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules.
CCE-87320-8 Record Events that Modify the System's Mandatory Access Controls If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/selinux/ -p wa -k MAC-policy
CCE-88117-7 Record Events that Modify the System's Mandatory Access Controls in usr/share If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /usr/share/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /usr/share/selinux/ -p wa -k MAC-policy
CCE-86590-7 Ensure auditd Collects Information on Exporting to Media (successful) At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
CCE-87775-3 Record Events that Modify the System's Network Environment If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
CCE-90731-1 Record Events that Modify the System's Network Environment If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
CCE-89323-0 Record Attempts to Alter Process and Session Initiation Information The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
CCE-88688-7 Ensure auditd Collects System Administrator Actions - /etc/sudoers At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
CCE-89020-2 Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers.d/ -p wa -k actions
CCE-86599-8 Record Events When Executables Are Run As Another User Verify the system generates an audit record when actions are run as another user. sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. If audit is using the "auditctl" tool to load the rules, run the following command: 
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command: 
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation
-a always,exit -F arch=b64  S execve -C euid!=uid -F auid!=unset -k user_emulation
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
CCE-88933-7 Record Events When Privileged Executables Are Run Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: 
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command: 
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
CCE-89678-7 Ensure auditd Collects System Administrator Actions At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
CCE-87352-1 Shutdown System When Auditing Failures Occur If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to to the bottom of a file with suffix .rules in the directory /etc/audit/rules.d: 
-f
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the bottom of the /etc/audit/audit.rules file: 
-f
CCE-87111-1 Record Events that Modify User/Group Information - /etc/group If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification
CCE-87736-5 Record Events that Modify User/Group Information - /etc/gshadow If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
CCE-90664-4 Record Events that Modify User/Group Information - /etc/security/opasswd If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
CCE-88286-0 Record Events that Modify User/Group Information - /etc/passwd If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
CCE-88637-4 Record Events that Modify User/Group Information - /etc/shadow If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
CCE-89542-5 Record Attempts to perform maintenance activities The Red Hat Enterprise Linux 10 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating system audits activities performed during nonlocal maintenance and diagnostic sessions. Run the following command: 
$ sudo auditctl -l | grep sudo.log
-w /var/log/sudo.log -p wa -k maintenance
CCE-90052-2 Record Access Events to Audit Log Directory The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. 
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file.
CCE-88841-2 System Audit Directories Must Be Group Owned By Root All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. To properly set the group owner of /var/log/audit, run the command: 
$ sudo chgrp root /var/log/audit
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group.
CCE-86731-7 System Audit Directories Must Be Owned By Root All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command: 
$ sudo chown root /var/log/audit
CCE-86750-7 System Audit Logs Must Have Mode 0750 or Less Permissive If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: 
$ sudo chmod 0750 /var/log/audit

Otherwise, change the mode of the audit log files with the following command: 
$ sudo chmod 0700 /var/log/audit
CCE-89126-7 System Audit Logs Must Be Group Owned By Root All audit logs must be group owned by root user. The path for audit log can be configured via log_file parameter in 
/etc/audit/auditd.conf
or, by default, the path for audit log is 
/var/log/audit/
. To properly set the group owner of /var/log/audit/*, run the command: 
$ sudo chgrp root /var/log/audit/*
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group.
CCE-88238-1 Audit Configuration Files Must Be Owned By Group root All audit configuration files must be owned by group root. 
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
CCE-88877-6 Audit Configuration Files Must Be Owned By Root All audit configuration files must be owned by root user. To properly set the owner of /etc/audit/, run the command: 
$ sudo chown root /etc/audit/
To properly set the owner of /etc/audit/rules.d/, run the command: 
$ sudo chown root /etc/audit/rules.d/
CCE-87480-0 System Audit Logs Must Be Owned By Root All audit logs must be owned by root user and group. By default, the path for audit log is 
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command: 
$ sudo chown root /var/log/audit
To properly set the owner of /var/log/audit/*, run the command: 
$ sudo chown root /var/log/audit/*
CCE-89939-3 System Audit Logs Must Be Owned By Root All audit logs must be owned by root user. The path for audit log can be configured via log_file parameter in 
/etc/audit/auditd.conf
or by default, the path for audit log is 
/var/log/audit/
. To properly set the owner of /var/log/audit/*, run the command: 
$ sudo chown root /var/log/audit/*
CCE-88067-4 Audit Configuration Files Permissions are 640 or More Restrictive All audit configuration files permissions must be 640 or more restrictive. 
chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
CCE-90129-8 System Audit Logs Must Have Mode 0640 or Less Permissive Determine where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: 
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log".
CCE-90466-4 Record Events that Modify the System's Discretionary Access Controls - chmod At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-89540-9 Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-88200-1 Record Events that Modify the System's Discretionary Access Controls - fchmod At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-89356-0 Record Events that Modify the System's Discretionary Access Controls - fchmodat At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-90685-9 Record Events that Modify the System's Discretionary Access Controls - fchown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-90651-1 Record Events that Modify the System's Discretionary Access Controls - fchownat At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-88352-0 Record Events that Modify the System's Discretionary Access Controls - fremovexattr At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
CCE-89370-1 Record Events that Modify the System's Discretionary Access Controls - fsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
CCE-88243-1 Record Events that Modify the System's Discretionary Access Controls - lchown At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-90100-9 Record Events that Modify the System's Discretionary Access Controls - lremovexattr At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
CCE-88052-6 Record Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
CCE-89677-9 Record Events that Modify the System's Discretionary Access Controls - removexattr At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
CCE-89571-4 Record Events that Modify the System's Discretionary Access Controls - setxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
CCE-87601-1 Record Events that Modify the System's Discretionary Access Controls - umount At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-89822-1 Record Events that Modify the System's Discretionary Access Controls - umount2 At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
CCE-88467-6 Record Any Attempts to Run chacl At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87662-3 Record Any Attempts to Run setfacl At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87762-1 Record Any Attempts to Run chcon At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87531-0 Record Any Attempts to Run restorecon At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89541-7 Record Any Attempts to Run semanage At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88818-0 Record Any Attempts to Run setfiles At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87741-5 Record Any Attempts to Run setsebool At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-86735-8 Record Any Attempts to Run seunshare At a minimum, the audit system should collect any execution attempt of the seunshare command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-90733-7 Ensure auditd Collects File Deletion Events by User - rename At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
CCE-90237-9 Ensure auditd Collects File Deletion Events by User - renameat At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
CCE-88762-0 Ensure auditd Collects File Deletion Events by User - rmdir At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
CCE-86737-4 Ensure auditd Collects File Deletion Events by User - unlink At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
CCE-87813-2 Ensure auditd Collects File Deletion Events by User - unlinkat At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
CCE-87250-7 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-87052-7 Record Unsuccessful Access Attempts to Files - creat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-86729-1 Record Unsuccessful Access Attempts to Files - ftruncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-87349-7 Record Unsuccessful Access Attempts to Files - open At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-90251-0 Record Unsuccessful Access Attempts to Files - open_by_handle_at At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-89622-5 Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
CCE-86749-9 Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
CCE-87518-7 Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
CCE-88300-9 Record Unsuccessful Creation Attempts to Files - open O_CREAT The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
CCE-90742-8 Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
CCE-87190-5 Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
CCE-89291-9 Record Unsuccessful Access Attempts to Files - openat At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-89098-8 Record Unsuccessful Creation Attempts to Files - openat O_CREAT The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
CCE-86897-6 Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
CCE-90507-5 Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
CCE-89713-2 Record Unsuccessful Delete Attempts to Files - rename The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
CCE-88132-6 Record Unsuccessful Delete Attempts to Files - renameat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
CCE-89869-2 Record Unsuccessful Access Attempts to Files - truncate At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
CCE-88520-2 Record Unsuccessful Delete Attempts to Files - unlink The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
CCE-89972-4 Record Unsuccessful Delete Attempts to Files - unlinkat The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
CCE-89198-6 Ensure auditd Collects Information on Kernel Module Loading and Unloading To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -F key=modules
The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
CCE-90049-8 Ensure auditd Collects Information on Kernel Module Unloading - create_module To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S create_module -F key=module-change
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
CCE-89982-3 Ensure auditd Collects Information on Kernel Module Unloading - delete_module To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
CCE-88638-2 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
CCE-90172-8 Ensure auditd Collects Information on Kernel Module Loading - init_module To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
CCE-90015-9 Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules
CCE-89220-8 Record Attempts to Alter Logon and Logout Events The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
-w  -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
-w  -p wa -k logins
-w /var/log/lastlog -p wa -k logins
CCE-89479-0 Record Attempts to Alter Logon and Logout Events - faillock The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w  -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w  -p wa -k logins
CCE-88938-6 Record Attempts to Alter Logon and Logout Events - lastlog The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/lastlog -p wa -k logins
CCE-88948-5 Record Attempts to Alter Logon and Logout Events - tallylog The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
CCE-88214-2 Ensure auditd Collects Information on the Use of Privileged Commands - init At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
CCE-86744-0 Ensure auditd Collects Information on the Use of Privileged Commands - poweroff At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88843-8 Ensure auditd Collects Information on the Use of Privileged Commands - reboot At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88922-0 Ensure auditd Collects Information on the Use of Privileged Commands - shutdown At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88170-6 Ensure auditd Collects Information on the Use of Privileged Commands The audit system should collect information about usage of privileged commands for all users. These are commands with suid or sgid bits on and they are specially risky in local block device partitions not mounted with noexec and nosuid options. Therefore, these partitions should be first identified by the following command: 
findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid"
For all partitions listed by the previous command, it is necessary to search for setuid / setgid programs using the following command: 
$ sudo find PARTITION -xdev -perm /6000 -type f 2>/dev/null
For each setuid / setgid program identified by the previous command, an audit rule must be present in the appropriate place using the following line structure: 
-a always,exit -F path=PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup, add the line to a file with suffix .rules in the /etc/audit/rules.d directory, replacing the PROG_PATH part with the full path of that setuid / setgid identified program. If the auditd daemon is configured to use the auditctl utility instead, add the line to the /etc/audit/audit.rules file, also replacing the PROG_PATH part with the full path of that setuid / setgid identified program.
CCE-90143-9 Ensure auditd Collects Information on the Use of Privileged Commands - chage At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89551-6 Ensure auditd Collects Information on the Use of Privileged Commands - chsh At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89029-3 Ensure auditd Collects Information on the Use of Privileged Commands - crontab At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89403-0 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-90738-6 Ensure auditd Collects Information on the Use of Privileged Commands - insmod At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/insmod -p x -k modules
CCE-86727-5 Ensure auditd Collects Information on the Use of Privileged Commands - kmod At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89893-2 Ensure auditd Collects Information on the Use of Privileged Commands - modprobe At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-w /sbin/modprobe -p x -k modules
CCE-87814-0 Ensure auditd Collects Information on the Use of Privileged Commands - mount At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88752-1 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89521-9 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89215-8 Ensure auditd Collects Information on the Use of Privileged Commands - passwd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89134-1 Ensure auditd Collects Information on the Use of Privileged Commands - pkexec At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89394-1 Ensure auditd Collects Information on the Use of Privileged Commands - postdrop At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87927-0 Ensure auditd Collects Information on the Use of Privileged Commands - postqueue At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-90004-3 Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88804-0 Ensure auditd Collects Information on the Use of Privileged Commands - rmmod At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/rmmod -p x -k modules
CCE-90081-1 Record Any Attempts to Run ssh-agent At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
CCE-88874-3 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89587-0 Ensure auditd Collects Information on the Use of Privileged Commands - su At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89698-5 Ensure auditd Collects Information on the Use of Privileged Commands - sudo At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89601-9 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-86962-8 Ensure auditd Collects Information on the Use of Privileged Commands - umount At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-88154-0 Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
CCE-89529-2 Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-86620-2 Ensure auditd Collects Information on the Use of Privileged Commands - unix_update At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-90652-9 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87659-9 Ensure auditd Collects Information on the Use of Privileged Commands - usermod At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
CCE-87633-4 Record attempts to alter time through adjtimex If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
CCE-88533-5 Record Attempts to Alter Time Through clock_settime If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
CCE-90548-9 Record attempts to alter time through settimeofday If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
CCE-89077-2 Record Attempts to Alter Time Through stime If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
CCE-89928-6 Record Attempts to Alter the localtime File If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
CCE-87194-7 Configure a Sufficiently Large Partition for Audit Logs The Red Hat Enterprise Linux 10 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: 
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command: 
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
CCE-90119-9 Configure auditd to use audispd's syslog plugin To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audit/plugins.d/syslog.conf to yes. Restart the auditd service: 
$ sudo service auditd restart
CCE-87470-1 Configure auditd Disk Error Action on Disk Error The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
CCE-89462-6 Configure auditd Disk Error Action on Disk Error The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
CCE-88198-7 Configure auditd Disk Full Action when Disk Space Is Full The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
CCE-88821-4 Configure auditd Disk Full Action when Disk Space Is Full The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
CCE-89081-4 Configure auditd mail_acct Action on Low Disk Space The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: 
action_mail_acct =
CCE-89040-0 Configure auditd admin_space_left Action on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
CCE-88585-5 Configure auditd admin_space_left on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately: 
admin_space_left = PERCENTAGE%
Set this value to to cause the system to perform an action.
CCE-88075-7 Configure auditd flush priority The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: 
flush =
CCE-89263-8 Configure auditd Max Log File Size Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB: 
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
CCE-86674-9 Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to . The setting is case-insensitive.
CCE-89533-4 Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
CCE-86673-1 Configure auditd space_left on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: 
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
CCE-88897-4 Configure auditd space_left Action on Low Disk Space The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: 
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
CCE-88619-2 Configure auditd space_left on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately: 
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to notify the user of an issue.
CCE-87482-6 Set number of records to cause an explicit flush to audit logs To configure Audit daemon to issue an explicit flush to disk command after writing records, set freq to in /etc/audit/auditd.conf.
CCE-88064-1 Include Local Events in Audit Logs To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.
CCE-88921-2 Resolve information before writing to audit logs To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.
CCE-87429-7 Set type of computer node name logging in audit logs To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to in /etc/audit/auditd.conf.
CCE-87003-0 Appropriate Action Must be Setup When the Internal Audit Event Queue is Full The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.
CCE-88724-0 Write Audit Logs to the Disk To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.
CCE-89008-7 Configure auditing of unsuccessful file accesses Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: 
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-87749-8 Configure auditing of unsuccessful file accesses (AArch64) Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: 
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88260-5 Configure auditing of unsuccessful file accesses (ppc64le) Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: 
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89107-7 Configure auditing of successful file accesses Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: 
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88643-2 Configure auditing of successful file accesses (AArch64) Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: 
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90752-7 Configure auditing of successful file accesses (ppc64le) Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: 
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88425-4 Configure basic parameters of Audit system Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above: 
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1
Load new Audit rules into kernel by running: 
augenrules --load
CCE-89881-7 Configure auditing of unsuccessful file creations Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: 
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88000-5 Configure auditing of unsuccessful file creations (AArch64) Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: 
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89170-5 Configure auditing of unsuccessful file creations (ppc64le) Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: 
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88927-9 Configure auditing of successful file creations Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: 
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90675-0 Configure auditing of successful file creations (AArch64) Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: 
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89990-6 Configure auditing of successful file creations (ppc64le) Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: 
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89807-2 Configure auditing of unsuccessful file deletions Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: 
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88262-1 Configure auditing of unsuccessful file deletions (AArch64) Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: 
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88931-1 Configure auditing of unsuccessful file deletions (ppc64le) Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: 
## Unsuccessful file delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-87693-8 Configure auditing of successful file deletions Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: 
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88866-9 Configure auditing of successful file deletions (AArch64) Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: 
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlinkat,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88269-6 Configure auditing of successful file deletions (ppc64le) Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: 
## Successful file delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86649-1 Configure immutable Audit login UIDs Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above: 
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
Load new Audit rules into kernel by running: 
augenrules --load
CCE-89667-0 Configure auditing of unsuccessful file modifications Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: 
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-87053-5 Configure auditing of unsuccessful file modifications (AARch64) Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: 
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88663-0 Configure auditing of unsuccessful file modifications (ppc64le) Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: 
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90534-9 Configure auditing of successful file modifications Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: 
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89581-3 Configure auditing of successful file modifications (AArch64) Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: 
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86563-4 Configure auditing of successful file modifications (ppc64le) Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: 
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90674-3 Configure auditing of loading and unloading of kernel modules Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: 
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
Load new Audit rules into kernel by running: 
augenrules --load
CCE-90415-1 Configure auditing of loading and unloading of kernel modules (ppc64le) Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: 
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
Load new Audit rules into kernel by running: 
augenrules --load
CCE-89288-5 Perform general configuration of Audit for OSPP Configure some basic Audit parameters specific for OSPP profile. In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. The following rules configure audit as described above: 
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation


## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes

## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89566-4 Perform general configuration of Audit for OSPP (AArch64) Configure some basic Audit parameters specific for OSPP profile. In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. The following rules configure audit as described above: 
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation


## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes

## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90399-7 Perform general configuration of Audit for OSPP (ppc64le) Configure some basic Audit parameters specific for OSPP profile. In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. The following rules configure audit as described above: 
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation


## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes

## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88845-3 Configure auditing of unsuccessful ownership changes Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-87653-2 Configure auditing of unsuccessful ownership changes (AArch64) Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S fchown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S fchown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86853-9 Configure auditing of unsuccessful ownership changes (ppc64le) Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Unsuccessful ownership change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89472-5 Configure auditing of successful ownership changes Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86485-0 Configure auditing of successful ownership changes (AArch64) Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S fchown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-88115-1 Configure auditing of successful ownership changes (ppc64le) Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: 
## Successful ownership change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86610-3 Configure auditing of unsuccessful permission changes Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: 
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90207-2 Configure auditing of unsuccessful permission changes (AArch64) Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: 
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-86921-4 Configure auditing of unsuccessful permission changes (ppc64le) Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: 
## Unsuccessful permission change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-89344-6 Configure auditing of successful permission changes Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: 
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-87247-3 Configure auditing of successful permission changes (AArch64) Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: 
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
CCE-90680-0 Configure auditing of successful permission changes (ppc64le) Ensure that successful attempts to modify permissions of files or directories are audited. The following rules configure audit as described above: 
## Successful permission change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
Load new Audit rules into kernel by running: 
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.