INACTIVE=35

To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=35
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?

Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so?

Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/system-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so?

If the system does not have SELinux enabled and enforcing a targeted policy, or if the
pam_faillock.so module is not configured for use, this requirement is not applicable.

Verify the location of the non-default tally directory for the pam_faillock.so module with
the following command:

$ sudo grep -w dir /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock
      Is it the case that the security context type of the non-default tally directory is not "faillog_t"?

$ sudo chage -E YYYY-MM-DD USER

Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?

Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
      Is it the case that output is produced and the accounts listed are interactive user accounts?

$ sudo userdel unauthorized_user

To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?

CREATE_HOME yes

Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?

FAIL_DELAY 4

Verify Red Hat Enterprise Linux 8 enforces a delay of at least 4 seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 4
      Is it the case that the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out?

* hard maxlogins 10

Verify Red Hat Enterprise Linux 8 limits the number of concurrent sessions to
"10" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "10" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?

PASS_MAX_DAYS 60

Verify that Red Hat Enterprise Linux 8 enforces a 60-day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 60
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out?

PASS_MIN_DAYS 1

Verify Red Hat Enterprise Linux 8 enforces 24 hours/one day as the minimum password lifetime for new user accounts.

Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:

$ grep -i pass_min_days /etc/login.defs

PASS_MIN_DAYS 1
      Is it the case that the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out?

Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?

$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Verify that the interactive user account passwords are using a strong
password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
      Is it the case that any interactive user password hash does not begin with "$6"?

PASS_MIN_LEN None

To check the minimum password length, run the command:
$ grep PASS_MIN_LEN /etc/login.defs
The profile requirement is
None.
      Is it the case that it is not set to the required value?

Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one numeric character be used.

Check the value for "dcredit" with the following command:

$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dcredit = 
      Is it the case that the value of "dcredit" is a positive number or is commented out?

Verify Red Hat Enterprise Linux 8 prevents the use of dictionary words for passwords with the following command:

$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dictcheck=1
      Is it the case that "dictcheck" does not have a value other than "0", or is commented out?

Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:

$ sudo grep difok /etc/security/pwquality.conf

difok = 8
      Is it the case that the value of "difok" is set to less than "8", or is commented out?

Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character.

Check the value for "lcredit" with the following command:

$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:lcredit = -1
      Is it the case that the value of "lcredit" is a positive number or is commented out?

Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxclassrepeat /etc/security/pwquality.conf

maxclassrepeat = 4
      Is it the case that the value of "maxclassrepeat" is set to "0", more than "4" or is commented out?

Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxrepeat /etc/security/pwquality.conf

maxrepeat = 3
      Is it the case that the value of "maxrepeat" is set to more than "3" or is commented out?

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:

$ grep minclass /etc/security/pwquality.conf

minclass = 4
      Is it the case that the value of "minclass" is set to less than "4" or is commented out?

Verify that Red Hat Enterprise Linux 8 enforces a minimum 15-character password length with the following command:

$ grep minlen /etc/security/pwquality.conf

minlen = 15
      Is it the case that the command does not return a "minlen" value of "15" or greater, does not return a line, or the line is commented out?

Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one special character with the following command:

$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ocredit = -1
      Is it the case that value of "ocredit" is a positive number or is commented out?

To check if pam_pwquality.so is enabled in password-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/password-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in password-auth?

To check if pam_pwquality.so is enabled in system-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/system-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in system-auth?

Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to 3.


Check for the use of the "pwquality" retry option in the /etc/security/pwquality.conf file with the following command:
$ grep retry /etc/security/pwquality.conf
      Is it the case that the value of "retry" is set to "0" or greater than "3", or is missing?

Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character.

Check the value for "ucredit" with the following command:

$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ucredit = -1
      Is it the case that the value of "ucredit" is a positive number or is commented out?

$ sudo chage -M 60 USER

Check whether the maximum time period for existing passwords is restricted to 60 days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?

$ sudo chage -m 1 USER

Verify that Red Hat Enterprise Linux 8 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?

Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:

$ sudo grep audit /etc/security/faillock.conf

audit
      Is it the case that the "audit" option is not set, is missing or commented out?

Verify Red Hat Enterprise Linux 8 is configured to lock an account after 3
unsuccessful logon attempts with the command:

$ grep 'deny =' /etc/security/faillock.conf
deny = 3.
      Is it the case that the "deny" option is not set to "3"
or less (but not "0"), is missing or commented out?

Verify Red Hat Enterprise Linux 8 is configured to lock the root account after 
unsuccessful logon attempts with the command:

$ grep even_deny_root /etc/security/faillock.conf
even_deny_root
      Is it the case that the "even_deny_root" option is not set, is missing or commented out?

Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be re-enabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.

dir = None

To ensure the tally directory is configured correctly, run the following command:
$ sudo grep 'dir =' /etc/security/faillock.conf
The output should show that dir is set to something other than "/var/run/faillock"
      Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?

To ensure the failed password attempt policy is configured correctly, run the following command:

$ grep fail_interval /etc/security/faillock.conf
The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.
      Is it the case that the "fail_interval" option is not set to "900"
or less (but not "0"), the line is commented out, or the line is missing?

To ensure that the system prevents messages from being shown when three unsuccessful logon
attempts occur, run the following command:
$ grep silent /etc/security/faillock.conf
The output should show silent.
      Is it the case that the system shows messages when three unsuccessful logon attempts occur?

Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator
after  unsuccessful logon
attempts with the command:

$ grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = 0
      Is it the case that the "unlock_time" option is not set to "0",
the line is missing, or commented out?

umask 077

Verify the umask setting is configured correctly in the /etc/bashrc file with the following command:

$ sudo grep "umask" /etc/bashrc

umask 077
      Is it the case that the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out?

umask 077

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command:

$ grep umask /etc/csh.cshrc

umask 077
umask 077
      Is it the case that the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out?

UMASK 077

Verify Red Hat Enterprise Linux 8 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 077
      Is it the case that the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out?

umask 077

Verify the umask setting is configured correctly in the /etc/profile file
or scripts within /etc/profile.d directory with the following command:
$ grep "umask" /etc/profile*
umask 077
      Is it the case that the value for the "umask" parameter is not "077",
or the "umask" parameter is missing or is commented out?

Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ sudo find /home -maxdepth 2 -type f -name ".[^.]*" -exec grep -iH -d skip --exclude=.bash_history umask {} \;

/home/wadea/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/wadea/.bash_history:grep -i umask /etc/login.defs
      Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"?

$ sudo chmod o-w FILE

Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?

Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?

Verify that interactive users on the system have a home directory assigned with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined.
      Is it the case that users home directory is not defined?

$ sudo mkdir /home/USER

Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?

$ sudo chgrp USER_GROUP /home/USER/FILE_DIR

To verify all files and directories in interactive user home directory are
group-owned by a group the user is a member of, run the
following command:
$ sudo ls -lLR /home/USER
      Is it the case that the group ownership is incorrect?

$ sudo chmod 0750 /home/USER/FILE_DIR

To verify all files and directories contained in interactive user home
directory, excluding local initialization files, have a mode of 0750,
run the following command:
$ sudo ls -lLR /home/USER
      Is it the case that home directory files or folders have incorrect permissions?

$ sudo /usr/sbin/aide --init

$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

$ sudo /usr/sbin/aide --check

To find the location of the AIDE database file, run the following command:
$ sudo ls -l DBDIR/database_file_name
      Is it the case that there is no database file?

Check that AIDE is properly configured to protect the integrity of the
audit tools by running the following command:

# sudo cat /etc/aide.conf | grep /usr/sbin/au

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512


/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512


If AIDE is configured properly to protect the integrity of the audit tools,
all lines listed above will be returned from the command.

If one or more lines are missing, this is a finding.
      Is it the case that integrity checks of the audit tools are missing or incomplete?

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

To determine that periodic AIDE execution has been scheduled, run the following command:

$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
The email address that the notifications are sent to can be changed by overriding
.
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chmod system call, run the following command:
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chown system call, run the following command:
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmod system call, run the following command:
$ sudo grep "fchmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchown system call, run the following command:
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchownat system call, run the following command:
$ sudo grep "fchownat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
fremovexattr system call, run the following command:
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
fsetxattr system call, run the following command:
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
lremovexattr system call, run the following command:
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
lsetxattr system call, run the following command:
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
removexattr system call, run the following command:
$ sudo grep "removexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-w /etc/cron.d/ -p wa -k cronjobs

-w /etc/cron.d/ -p wa -k cronjobs

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/cron.d/" with the following command:

$ sudo auditctl -l | grep /etc/cron.d/

-w /etc/cron.d/ -p wa -k cronjobs
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command:

$ sudo auditctl -l | grep semanage

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command:

$ sudo auditctl -l | grep setfiles

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command:

$ sudo auditctl -l | grep setsebool

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rename system call, run the following command:
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
renameat system call, run the following command:
$ sudo grep "renameat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rmdir system call, run the following command:
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlink system call, run the following command:
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlinkat system call, run the following command:
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-e 2

-e 2

Verify the audit system prevents unauthorized changes with the following command:
$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
-e 2

      Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"?

--loginuid-immutable

--loginuid-immutable

To determine if the system is configured to make login UIDs immutable, run
one of the following commands.
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), run the following:
sudo grep immutable /etc/audit/rules.d/*.rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, run the following command:
sudo grep immutable /etc/audit/audit.rules
The following line should be returned:
--loginuid-immutable
      Is it the case that the system is not configured to make login UIDs immutable?

-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
finit_module system call, run the following command:
$ sudo grep "finit_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-w None -p wa -k logins

-w None -p wa -k logins

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "None" with the following command:

$ sudo auditctl -l | grep None

-w None -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?

-w /var/log/lastlog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

To determine if the system is configured to audit calls to the
mount system call, run the following command:
$ sudo grep "mount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command:

$ sudo auditctl -l | grep mount

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command:

$ sudo auditctl -l | grep pam_timestamp_check

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command:

$ sudo auditctl -l | grep postdrop

-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command:

$ sudo auditctl -l | grep postqueue

-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysignssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command:

$ sudo auditctl -l | grep umount

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command:

$ sudo auditctl -l | grep unix_update

-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command:

$ sudo auditctl -l | grep userhelper

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/sudoers -p wa -k actions

-w /etc/sudoers -p wa -k actions

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/sudoers" with the following command:

$ sudo auditctl -l | grep /etc/sudoers

-w /etc/sudoers -p wa -k actions
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/sudoers.d/ -p wa -k actions

-w /etc/sudoers.d/ -p wa -k actions

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/sudoers.d/" with the following command:

$ sudo auditctl -l | grep /etc/sudoers.d/

-w /etc/sudoers.d/ -p wa -k actions
      Is it the case that the command does not return a line, or the line is commented out?

$ sudo grep execve /etc/audit/audit.rules

$ sudo grep -r execve /etc/audit/rules.d

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

Verify Red Hat Enterprise Linux 8 audits the execution of privileged functions.

Check if Red Hat Enterprise Linux 8 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r creat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep creat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r ftruncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep ftruncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open_by_handle_at /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open_by_handle_at /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r openat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep openat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/group -p wa -k audit_rules_usergroup_modification

-w /etc/group -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep /etc/group

-w /etc/group -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep /etc/gshadow

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
      Is it the case that the system is not configured to audit account changes?

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep /etc/security/opasswd

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/passwd" with the following command:

$ sudo auditctl -l | grep /etc/passwd

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
      Is it the case that the command does not return a line, or the line is commented out?

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/etc/shadow" with the following command:

$ sudo auditctl -l | grep /etc/shadow

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
      Is it the case that command does not return a line, or the line is commented out?

-w /var/spool/cron -p wa -k cronjobs

-w /var/spool/cron -p wa -k cronjobs

Verify Red Hat Enterprise Linux 8 generates audit records for all events that affect "/var/spool/cron" with the following command:

$ sudo auditctl -l | grep /var/spool/cron

-w /var/spool/cron -p wa -k cronjobs
      Is it the case that command does not return a line, or the line is commented out?

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit

To verify whether audispd plugin off-loads audit records onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf

The output should return something similar to where REMOTE_SYSTEM
is an IP address or hostname:
remote_server = REMOTE_SYSTEM

Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command and verify whether it is sufficiently large:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
      Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space?

disk_error_action = ACTION

Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs.

Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command:

$ sudo grep disk_error_action /etc/audit/auditd.conf

disk_error_action = 

If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.
      Is it the case that there is no evidence of appropriate action?

disk_full_action = ACTION

Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full.

Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full with the following command:

$ sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = 

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
      Is it the case that there is no evidence of appropriate action?

action_mail_acct = root

Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = root
      Is it the case that the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?

space_left_action = ACTION

• syslog
• email
• exec
• suspend
• single
• halt

Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = 

If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?

space_left = PERCENTAGE%

Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left /etc/audit/auditd.conf

space_left = %
      Is it the case that the value of the "space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value?

To verify that Audit Daemon is configured to include local events, run the
following command:
$ sudo grep local_events /etc/audit/auditd.conf
The output should return the following:
local_events = yes
      Is it the case that local_events isn't set to yes?

To verify that Audit Daemon is configured to resolve all uid, gid, syscall,
architecture, and socket address information before writing the event to disk,
run the following command:
$ sudo grep log_format /etc/audit/auditd.conf
The output should return the following:
log_format = ENRICHED
      Is it the case that log_format isn't set to ENRICHED?

To verify that Audit Daemon is configured to record the computer node
name in the audit events, run the following command:
$ sudo grep name_format /etc/audit/auditd.conf
The output should return the following:
name_format = hostname|fqd|numeric
      Is it the case that name_format isn't set to hostname|fqd|numeric?

Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audit/auditd.conf

The output should contain overflow_action = syslog

If the value of the "overflow_action" option is not set to syslog,
single, halt or the line is commented out, ask the System Administrator
to indicate how the audit logs are off-loaded to a different system or media.
      Is it the case that auditd overflow action is not set correctly?

To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?

Verify the NX (no-execution) bit flag is set on the system.

Check that the no-execution bit flag is set with the following commands:

$ sudo dmesg | grep NX

[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command:

$ sudo grep flags /proc/cpuinfo
flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts

The output should contain the "nx" flag.
      Is it the case that NX is disabled?

Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command:
$ grep -w port /etc/chrony.conf
port 0
      Is it the case that the "port" option is not set to "0", is commented out, or is missing?

Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command:
$ grep -w cmdport /etc/chrony.conf
cmdport 0
      Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing?

maxpoll 16

Verify Red Hat Enterprise Linux 8 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf /etc/chrony.d/
server [ntp.server.name] iburst maxpoll 16
.
      Is it the case that "maxpoll" has not been set to the value of "16", is commented out, or is missing?

Run the following command and verify that time sources are only configured with server directive:
# grep -E "^(server|pool)" /etc/chrony.conf
A line with the appropriate server should be returned, any line returned starting with pool is a finding.
      Is it the case that an authoritative remote time server is not configured or configured with pool directive?

server <remote-server>

# In /etc/chrony.conf:
sourcedir /etc/chrony/sources.d

# In /etc/chrony/sources.d/ntp.sources:
server 0.pool.ntp.org

# In /etc/chrony.conf:
confdir /etc/chrony/conf.d

# In /etc/chrony/conf.d/ntp-servers.conf:
pool 1.pool.ntp.org

Verify that a remote time server is configured. First, check the main configuration file:
# grep -E "^(server|pool)" /etc/chrony.conf
If no server or pool directive is found, check for sourcedir or confdir directives:
# grep -E "^(sourcedir|confdir)" /etc/chrony.conf
For each sourcedir found, check .sources files in that directory:
# grep -E "^(server|pool)" /path/to/sourcedir/*.sources
For each confdir found, check .conf files in that directory:
# grep -E "^(server|pool)" /path/to/confdir/*.conf
At least one server or pool directive must be present in the main configuration file
or in files within directories specified by sourcedir or confdir directives.
      Is it the case that a remote time server is not configured?

Verify Red Hat Enterprise Linux 8 removes all software components after updated versions have been installed.


$ grep clean_requirements_on_remove /etc/yum.conf
clean_requirements_on_remove=1
      Is it the case that '"clean_requirements_on_remove" is not set to "1"'?

To verify that BIND uses the system crypto policy, check out that the BIND config file
/etc/named.conf
 contains the 
include "/etc/crypto-policies/back-ends/bind.config";
directive:
$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf
Verify that the directive is at the bottom of the 
options
 section of the config file.
      Is it the case that BIND is installed and the BIND config file doesn't contain the
include "/etc/crypto-policies/back-ends/bind.config";
 directive?

$ sudo update-crypto-policies --set FIPS

To verify that cryptography policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return 
FIPS
.
Run the command to check if the policy is correctly applied:
$ update-crypto-policies --is-applied
The output should be 
The configured policy is applied
.
Moreover, check if settings for selected crypto policy are as expected.
List all libraries for which it holds that their crypto policies do not have symbolic link in 
/etc/crypto-policies/back-ends
.
$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort
Subsequently, check if matching libraries have drop in files in the 
/etc/crypto-policies/local.d
 directory.
$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort
Outputs of two previous commands should match.
      Is it the case that cryptographic policy is not configured or is configured incorrectly?

firewall-cmd --permanent --add-port=port_number/tcp

firewall-cmd --permanent --add-service=service_name

Inspect the list of enabled firewall ports and verify they are configured correctly by running
the following command:

$ sudo firewall-cmd --list-all

Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
      Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured?

To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:
$ sudo grep
'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
/etc/crypto-policies/back-ends/gnutls.config
 and verify that a match exists.
      Is it the case that cryptographic policy for gnutls is not configured or is configured incorrectly?

Check that the symlink exists and target the correct Kerberos crypto policy, with the following command:
file /etc/krb5.conf.d/crypto-policies
If command output shows the following line, Kerberos is configured to use the system-wide crypto policy.
/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
      Is it the case that the symlink does not exist or points to a different target?

Verify that the IPSec service uses the system crypto policy.

If the ipsec service is not installed is not applicable.

Check to see if the "IPsec" service is active with the following command:

$ systemctl status ipsec

ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)

If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:

$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf

/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
      Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain include /etc/crypto-policies/back-ends/libreswan.config?

To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
/etc/pki/tls/openssl.cnf
 contains the 
[ crypto_policy ]
 section with the
.include /etc/crypto-policies/back-ends/opensslcnf.config
 directive:

$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
.
      Is it the case that the OpenSSL config file doesn't contain the whole section,
or the section doesn't contain the 
.include /etc/crypto-policies/back-ends/opensslcnf.config
 directive?

$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2

$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2

To verify if the OpenSSL uses defined TLS Crypto Policy, run:
$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config
and verify that the value is
TLSv1.2
      Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly?

Verify that sshd isn't configured to ignore the system wide cryptographic policy.

Check that the CRYPTO_POLICY variable is not set or is commented out in the
/etc/sysconfig/sshd.

Run the following command:

$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
      Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd?

To verify that Linux Audit logging is enabled for the USBGuard daemon,
run the following command:
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
The output should be
AuditBackend=LinuxAudit
      Is it the case that AuditBackend is not set to LinuxAudit?

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP
      Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"?

Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command:

$ grep -i process /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf

ProcessSizeMax=0
      Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?

Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command:

$ grep -i storage /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf

Storage=none
      Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?

[org/gnome/login-screen]
banner-message-enable=true

/org/gnome/login-screen/banner-message-enable

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?

[org/gnome/settings-daemon/plugins/media-keys]
logout=['']

/org/gnome/settings-daemon/plugins/media-keys/logout

To ensure the system is configured to ignore the Ctrl-Alt-Del sequence,
run the following command:
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/settings-daemon/plugins/media-keys/logout
      Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed?

[org/gnome/login-screen]
disable-user-list=true

/org/gnome/login-screen/disable-user-list

To ensure the user list is disabled, run the following command:
$ grep disable-user-list /etc/dconf/db/gdm.d/*
The output should be true.
To ensure that users cannot enable displaying the user list, run the following:
$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-list
      Is it the case that disable-user-list has not been configured or is not disabled?

[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'

/org/gnome/settings-daemon/peripherals/smartcard/removal-action

To ensure screen locking on smartcard removal is enabled, run the following command:
$ grep removal-action /etc/dconf/db/local.d/*
The output should be 'lock-screen'.
To ensure that users cannot disable screen locking on smartcard removal, run the following:
$ grep removal-action /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action
      Is it the case that removal-action has not been configured?

[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'

/org/gnome/login-screen/banner-message-text

To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
      Is it the case that it does not?

[org/gnome/desktop/session]
idle-delay=uint32 900

To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is set to 0 or a value greater than ?

[org/gnome/desktop/screensaver]
lock-delay=uint32 5

To check that the screen locks immediately when activated, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 'uint32 5'.
      Is it the case that the screensaver lock delay is missing, or is set to a value greater than 5?

[org/gnome/desktop/screensaver]
lock-enabled=true

/org/gnome/desktop/screensaver/lock-enabled

To check the status of the idle screen lock activation, run the following command:

$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?

/org/gnome/desktop/screensaver/lock-enabled

/org/gnome/desktop/screensaver/lock-enabled

To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not locked?

/org/gnome/desktop/screensaver/lock-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
      Is it the case that GNOME3 session settings are not locked or configured properly?

/org/gnome/desktop/session/idle-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chgrp root DIR

Verify the system-wide shared library directories are group-owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
      Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chown root DIR

Verify the system-wide shared library directories are owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
      Is it the case that any system-wide shared library directory is not owned by root?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chmod go-w DIR

Shared libraries are stored in the following directories:
/lib
/lib64
/usr/lib
/usr/lib64

To find shared libraries that are group-writable or world-writable,
run the following command for each directory DIR which contains shared libraries:
$ sudo find -L DIR -perm /022 -type d
      Is it the case that any of these files are group-writable or world-writable?

The following command will discover and print world-writable directories that
are not owned by root. Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print
      Is it the case that there are world-writable directories not owned by root?

$ sudo chmod +t DIR

To find world-writable directories that lack the sticky bit, run the following command:
$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
fixtext: |-
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.

Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:

$ chmod a+t [World-Writable Directory]
srg_requirement:
A sticky bit must be set on all Red Hat Enterprise Linux 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
      Is it the case that any world-writable directories are missing the sticky bit?

The following command will discover and print world-writable directories that
are not group owned by a system account, given the assumption that only system
accounts have a gid lower than 1000.  Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
      Is it the case that there is output?

/var/log/audit/

$ sudo chgrp root /var/log/audit

Determine the audit log group by running the following command:

$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf

Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified.
Run the following command:

$ sudo find /var/log/audit -type d -printf "%p %g\n"

All listed directories must be owned by the log_group or by root if the log_group is not specified.
      Is it the case that there is a directory owned by different group?

/var/log/audit/

$ sudo chown root /var/log/audit 

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Determine the owner of the audit log directory by using the output of the above command
(default: "/var/log/audit/"). Run the following command with the correct audit log directory
path:

$ sudo ls -ld /var/log/audit

drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit

The audit log directory must be owned by "root"
      Is it the case that the directory is not owned by root?

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

$ sudo chmod 0700 audit_log_directory

Verify the audit log directories have a correct mode or less permissive mode.

Find the location of the audit logs:

$ sudo grep "^log_file" /etc/audit/auditd.conf



Run the following command to check the mode of the system audit logs:

$ sudo stat -c "%a %n" [audit_log_directory]

Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".


The correct permissions are 0700
      Is it the case that audit logs have a more permissive mode?

CtrlAltDelBurstAction=none

To ensure the system is configured to ignore the Ctrl-Alt-Del setting,
enter the following command:
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
The output should return:
CtrlAltDelBurstAction=none
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.?

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?

*     hard   core    0

Verify that core dumps are disabled for all users, run the following command:
$ grep core /etc/security/limits.conf
*     hard   core    0
      Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"?

$ sudo grep pam_succeed_if /etc/pam.d/sudo

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?

session     [default=1]    pam_lastlog.so showfailed

Verify users are provided with feedback on when account accesses last occurred with the following command:

$ sudo grep pam_lastlog /etc/pam.d/postlogin

session [default=1] pam_lastlog.so showfailed
      Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file?

Verify that authselect is enabled by running
authselect current
If authselect is enabled on the system, the output should show the ID of the profile which is currently in use.
      Is it the case that authselect is not used to manage user authentication setup on the system?

To verify that the Dracut FIPS module is enabled, run the following command:
grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf
The output should look like this:
add_dracutmodules+=" fips "
      Is it the case that the Dracut FIPS module is not enabled?

To verify that FIPS mode is enabled properly, run the following command:
cat /proc/sys/crypto/fips_enabled
The output be must:
1
      Is it the case that FIPS mode is not enabled?

gpgcheck=1

To determine whether yum has been configured to disable
gpgcheck for any repos, inspect all files in
 and ensure the following does not appear in any
sections:
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo.
      Is it the case that GPG checking is disabled?

part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE

Check the system partitions to determine if they are encrypted with the following command:
blkid



Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"



The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?

$ grep -r "^\[.*epel.*\]" /etc/yum.repos.d/

To verify that EPEL repository is not enabled, run the following commands:
$ grep -r "^\[.*epel.*\]" /etc/yum.repos.d/
For each EPEL repository found, check if it is enabled:
$ grep -A 5 "^\[.*epel.*\]" /etc/yum.repos.d/*.repo | grep "enabled"
The output should show enabled=0 for all EPEL repositories, or no EPEL repositories
should be present.
      Is it the case that EPEL repository is enabled?

Verify that yum verifies the signature of local packages prior to install with the following command:

$ grep localpkg_gpgcheck /etc/yum.conf

localpkg_gpgcheck=1

If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates for local packages that is approved by the organization?

$ sudo subscription-manager register

$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

To ensure that the GPG key is installed, run:
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below:
gpg(Red Hat, Inc. (release key 2)  <security@redhat.com>
      Is it the case that the Red Hat GPG Key is not installed?

Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy.

Check that "fapolicyd" is in enforcement mode with the following command:

$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf

permissive = 0

Check that fapolicyd employs a deny-all policy on system mounts with the following commands:

For RHEL 8.5 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules

For RHEL 8.6 systems and newer:
$ sudo tail /etc/fapolicyd/compiled.rules

allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all
      Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy?

Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the group-owner of each audit tool by running the following command:

$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not group-owned by root?

Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the owner of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not owned by root?

Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.

Check the octal permission of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules
      Is it the case that any of these files have more permissive permissions than 0755?

/etc/audit/auditd.conf

/var/log/audit/

$ sudo chgrp root /var/log/audit/*

Check group owners of the system audit logs.

First, determine where the audit log file is located.

$ sudo grep -iw ^log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

The log_file option specifies the audit log file path.
If the log_file option isn't defined, check all files within /var/log/audit directory.


Then, determine the audit log group by running the following command:
$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf


Then, check that the audit log file is owned by the correct group.
Run the following command to display the owner of the audit log file:

$ sudo stat -c "%n %G" log_file


The audit log file must be owned by the log_group or by root if the log_group is not specified.
      Is it the case that audit log files are owned by incorrect group?

$ sudo chgrp root /var/log

To check the group ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following group-owner:

  root
  
      Is it the case that /var/log does not have a group owner of
root
?

$ sudo chgrp root /var/log/messages

To check the group ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following group-owner:

  root
  
      Is it the case that /var/log/messages does not have a group owner of
root
?

$ sudo chgrp USER_GROUP /home/USER

To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

$ sudo chgrp root FILE

Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
      Is it the case that any system commands are returned and is not group-owned by a required system account?

$ sudo chown root /var/log 

To check the ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log does not have an owner of root?

$ sudo chown root /var/log/messages 

To check the ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log/messages does not have an owner of root?

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

$ sudo chown root FILE

Verify the system commands contained in the following directories are owned by "root" with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
      Is it the case that any system commands are found to not be owned by root?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chown root FILE

Verify the system-wide shared library files are owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;
      Is it the case that any system wide shared library file is not owned by root?

/etc/audit/auditd.conf

/var/log/audit/

$ sudo chown root /var/log/audit/* 

Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Using the location of the audit log file, determine if the audit log is owned by "root" using the following command:
$ sudo stat -c "%n %U" /var/log/audit/audit.log
Audit logs must be owned by user root.
If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead.
      Is it the case that the audit log is not owned by root?

$ sudo chmod 0740 /root/.INIT_FILE
$ sudo chmod 0740 /home/USER/.INIT_FILE

To verify that all user initialization files have a mode of 0740 or
less permissive, run the following command:
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output.
      Is it the case that they are not 0740 or more permissive?

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

$ sudo chmod go-w FILE

Verify the system commands contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \;
      Is it the case that any system commands are found to be group-writable or world-writable?

$ sudo chmod 0640 /etc/audit/auditd.conf

To check the permissions of /etc/audit/auditd.conf,
run the command:
$ ls -l /etc/audit/auditd.conf
If properly configured, the output should indicate the following permissions:
-rw-r-----
      Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----?

$ sudo chmod 0600 /etc/audit/rules.d/*.rules

To check the permissions of /etc/audit/rules.d/*.rules,
run the command:
$ ls -l /etc/audit/rules.d/*.rules
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-------?

$ sudo chmod 0750 /home/USER

To verify the assigned home directory of all interactive user home directories
have a mode of 
0750
 or less permissive, run the following command:
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions.
      Is it the case that they are more permissive?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chmod go-w FILE

Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \;
      Is it the case that any system-wide shared library file is found to be group-writable or world-writable?

To check the permissions of /etc/ssh/*_key,
run the command:
$ ls -l /etc/ssh/*_key
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /etc/ssh/*_key does not have unix mode -rw-------?

$ sudo chmod 0644 /etc/ssh/*.pub

To check the permissions of /etc/ssh/*.pub,
run the command:
$ ls -l /etc/ssh/*.pub
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid group:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid group should be located.
      Is it the case that there is output?

$ sudo chmod 0755 /var/log

To check the permissions of /var/log,
run the command:
$ ls -l /var/log
If properly configured, the output should indicate the following permissions:
drwxr-xr-x
      Is it the case that /var/log does not have unix mode drwxr-xr-x?

$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

$ sudo chmod 0600 audit_log_file

Run the following command to check the mode of the system audit logs:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file=/var/log/audit/audit.log
$ sudo stat -c "%n %a" /var/log/audit/*
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive.
      Is it the case that any permissions are more permissive?

$ sudo chmod 0600 /var/log/messages

To check the permissions of /var/log/messages,
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
-rw-------
      Is it the case that /var/log/messages does not have unix mode -rw-------?

Show the configured systemwide cryptographic policy by running the following command:

$ sudo update-crypto-policies --show
FIPS
      Is it the case that using an insecure sub-policy?

Verify "nftables" is configured to allow rate limits on any connection to the system with the following command:

Verify "firewalld" has "nftables" set as the default backend:

$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf

# FirewallBackend
FirewallBackend=nftables
      Is it the case that the "nftables" is not set as the "firewallbackend"?

[daemon]
AutomaticLoginEnable=false

To verify that automatic logins are disabled, run the following command:
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
The output should show the following:
[daemon]
AutomaticLoginEnable=false
      Is it the case that GDM allows users to automatically login?

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users

export superusers

grub2-mkconfig -o /boot/grub2/grub.cfg

To verify the boot loader superuser account has been set, run the following
command:
sudo grep -A1 "superusers" /boot/grub2/grub.cfg
The output should show the following:
set superusers="superusers-account"
export superusers
where superusers-account is the actual account name different from common names like root,
admin, or administrator and different from any other existing user name.
      Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name?

GRUB_CMDLINE_LINUX="... audit=1 ..."

# grubby --update-kernel=ALL --args="audit=1"

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes audit=1,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
The command should not return any output.
      Is it the case that auditing is not enabled at boot time?

GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."

# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes audit_backlog_limit=8192,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
The command should not return any output.
      Is it the case that audit backlog limit is not configured?

None
      Is it the case that None?

GRUB_CMDLINE_LINUX="... page_poison=1 ..."

# grubby --update-kernel=ALL --args="page_poison=1"

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes page_poison=1,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
The command should not return any output.
      Is it the case that page allocator poisoning is not enabled?

# grub2-setpassword

First, check whether the password is defined in either /boot/grub2/user.cfg or
/boot/grub2/grub.cfg.
Run the following commands:
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg
$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg


Second, check that a superuser is defined in /boot/grub2/grub.cfg.
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  /boot/grub2/grub.cfg
      Is it the case that it does not produce any output?

GRUB_CMDLINE_LINUX="... pti=on ..."

# grubby --update-kernel=ALL --args="pti=on"

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes pti=on,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'pti=on'
The command should not return any output.
      Is it the case that Kernel page-table isolation is not enabled?

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users

export superusers

grub2-mkconfig -o /boot/grub2/grub.cfg

To verify the boot loader superuser account has been set, run the following
command:
sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg
The output should show the following:
set superusers="superusers-account"
export superusers
where superusers-account is the actual account name different from common names like root,
admin, or administrator and different from any other existing user name.
      Is it the case that superuser account is not set or is set to an existing name or to a common name?

# grub2-setpassword

To verify the boot loader superuser password has been set, run the following command:
$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg
The output should be similar to:
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
      Is it the case that no password is set?

GRUB_CMDLINE_LINUX="... vsyscall=none ..."

# grubby --update-kernel=ALL --args="vsyscall=none"

Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes vsyscall=none,
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none'
The command should not return any output.
      Is it the case that vsyscalls are enabled?

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
      Is it the case that Crypto Policy for OpenSSH client is not configured correctly?

-oCiphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oCiphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
      Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?

To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
      Is it the case that Crypto Policy for OpenSSH client is not configured correctly?

To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oMACS=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
      Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?

$ sudo yum install openssl-pkcs11

Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed.

Run the following command to determine if the openssl-pkcs11 package is installed:
$ rpm -q openssl-pkcs11
      Is it the case that smartcard software is not installed?

To verify that the installed operating system is supported, run
the following command:

$ grep -i "red hat" /etc/redhat-release

Red Hat Enterprise Linux 8
      Is it the case that the installed operating system is not supported?

Run the following command to see if there are some keytabs
that would potentially allow the use of Kerberos by system daemons.
$ ls -la /etc/*.keytab
The expected result is
ls: cannot access '/etc/*.keytab': No such file or directory
      Is it the case that a keytab file is present on the system?

install atm /bin/false

install atm /bin/true

blacklist atm

If the system is configured to prevent the loading of the atm kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install bluetooth /bin/true

If the system is configured to prevent the loading of the bluetooth kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install can /bin/false

install can /bin/true

blacklist can

If the system is configured to prevent the loading of the can kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r can /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install cramfs /bin/false

install cramfs /bin/true

blacklist cramfs

If the system is configured to prevent the loading of the cramfs kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install firewire-core /bin/false

install firewire-core /bin/true

blacklist firewire-core

If the system is configured to prevent the loading of the firewire-core kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install sctp /bin/false

install sctp /bin/true

blacklist sctp

If the system is configured to prevent the loading of the sctp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install tipc /bin/false

install tipc /bin/true

blacklist tipc

If the system is configured to prevent the loading of the tipc kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

install usb-storage /bin/false

install usb-storage /bin/true

blacklist usb-storage

If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?

If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:

Verify the operating system disables the ability to load the uvcvideo kernel module.

$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"

install uvcvideo /bin/true
      Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use?

[Login]

StopIdleSessionSec=600

Display the contents of the file /etc/systemd/logind.conf:
cat /etc/systemd/logind.conf
Ensure that there is a section [login] which contains the
configuration StopIdleSessionSec=600.
      Is it the case that the option is not configured?

Verify the nosuid option is configured for the /boot/efi mount point,
    run the following command:
    
$ sudo mount | grep '\s/boot/efi\s'
    
. . . /boot/efi . . . nosuid . . .

      Is it the case that the "/boot/efi" file system does not have the "nosuid" option set?

Verify the nosuid option is configured for the /boot mount point,
    run the following command:
    
$ sudo mount | grep '\s/boot\s'
    
. . . /boot . . . nosuid . . .

      Is it the case that the "/boot" file system does not have the "nosuid" option set?

Verify the nodev option is configured for the /dev/shm mount point,
    run the following command:
    
$ sudo mount | grep '\s/dev/shm\s'
    
. . . /dev/shm . . . nodev . . .

      Is it the case that the "/dev/shm" file system does not have the "nodev" option set?

Verify the noexec option is configured for the /dev/shm mount point,
    run the following command:
    
$ sudo mount | grep '\s/dev/shm\s'
    
. . . /dev/shm . . . noexec . . .

      Is it the case that the "/dev/shm" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /dev/shm mount point,
    run the following command:
    
$ sudo mount | grep '\s/dev/shm\s'
    
. . . /dev/shm . . . nosuid . . .

      Is it the case that the "/dev/shm" file system does not have the "nosuid" option set?

Verify the noexec option is configured for the /home mount point,
    run the following command:
    
$ sudo mount | grep '\s/home\s'
    
. . . /home . . . noexec . . .

      Is it the case that the "/home" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /home mount point,
    run the following command:
    
$ sudo mount | grep '\s/home\s'
    
. . . /home . . . nosuid . . .

      Is it the case that the "/home" file system does not have the "nosuid" option set?

To verify the nodev option is configured for non-root local partitions, run the following command:
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
The output shows local non-root partitions mounted without the nodev option, and there should be no output at all.

      Is it the case that some mounts appear among output lines?

To verify the nodev option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nodev setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?

Verify file systems that are used for removable media are mounted with the "nodev" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set?

To verify the noexec option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses.  This is not applicable if NFS is
not implemented.
      Is it the case that the setting does not show?

To verify that binaries cannot be directly executed from removable media, run the following command:
$ grep -v noexec /etc/fstab
The resulting output will show partitions which do not have the noexec flag. Verify all partitions
in the output are not removable media.
      Is it the case that removable media partitions are present?

To verify the nosuid option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?

Verify the nodev option is configured for the /tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/tmp\s'
    
. . . /tmp . . . nodev . . .

      Is it the case that the "/tmp" file system does not have the "nodev" option set?

Verify the noexec option is configured for the /tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/tmp\s'
    
. . . /tmp . . . noexec . . .

      Is it the case that the "/tmp" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/tmp\s'
    
. . . /tmp . . . nosuid . . .

      Is it the case that the "/tmp" file system does not have the "nosuid" option set?

Verify the nodev option is configured for the /var/log/audit mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log/audit\s'
    
. . . /var/log/audit . . . nodev . . .

      Is it the case that the "/var/log/audit" file system does not have the "nodev" option set?

Verify the noexec option is configured for the /var/log/audit mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log/audit\s'
    
. . . /var/log/audit . . . noexec . . .

      Is it the case that the "/var/log/audit" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /var/log/audit mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log/audit\s'
    
. . . /var/log/audit . . . nosuid . . .

      Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set?

Verify the nodev option is configured for the /var/log mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log\s'
    
. . . /var/log . . . nodev . . .

      Is it the case that the "/var/log" file system does not have the "nodev" option set?

Verify the noexec option is configured for the /var/log mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log\s'
    
. . . /var/log . . . noexec . . .

      Is it the case that the "/var/log" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /var/log mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/log\s'
    
. . . /var/log . . . nosuid . . .

      Is it the case that the "/var/log" file system does not have the "nosuid" option set?

Verify the nodev option is configured for the /var/tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/tmp\s'
    
. . . /var/tmp . . . nodev . . .

      Is it the case that the "/var/tmp" file system does not have the "nodev" option set?

Verify the noexec option is configured for the /var/tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/tmp\s'
    
. . . /var/tmp . . . noexec . . .

      Is it the case that the "/var/tmp" file system does not have the "noexec" option set?

Verify the nosuid option is configured for the /var/tmp mount point,
    run the following command:
    
$ sudo mount | grep '\s/var/tmp\s'
    
. . . /var/tmp . . . nosuid . . .

      Is it the case that the "/var/tmp" file system does not have the "nosuid" option set?

$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns

$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf

search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2

Verify that DNS servers have been configured properly, perform the following:
$ sudo grep nameserver /etc/resolv.conf
      Is it the case that less than two lines are returned that are not commented out?

$ ip link | grep PROMISC

$ sudo ip link set dev device_name multicast off promisc off

Verify that Promiscuous mode of an interface is disabled, run the following command:
$ ip link | grep PROMISC
      Is it the case that any network device is in promiscuous mode?

To verify that null passwords cannot be used, run the following command:

$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth

If this produces any output, it may be possible to log into accounts
with empty passwords. Remove any instances of the nullok option to
prevent logins with empty passwords.
      Is it the case that NULL passwords can be used?

$ sudo awk -F: '!$2 {print $1}' /etc/shadow

$ sudo passwd [username]

$ sudo passwd -l [username]

To verify that null passwords cannot be used, run the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
      Is it the case that Blank or NULL passwords can be used?

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid user:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid user should be located.
      Is it the case that files exist that are not owned by a valid user?

$ sudo rm /[path]/[to]/[file]/shosts.equiv

Verify that there are no shosts.equiv files on the system, run the following command:
$ find / -name shosts.equiv
      Is it the case that shosts.equiv files exist?

$ sudo find / -name '.shosts' -type f -delete

To verify that there are no .shosts files
on the system, run the following command:
$ sudo find / -name '.shosts'
      Is it the case that .shosts files exist?

$ sudo yum erase abrt-addon-ccpp

Run the following command to determine if the abrt-addon-ccpp package is installed:
$ rpm -q abrt-addon-ccpp
      Is it the case that the package is installed?

$ sudo yum erase abrt-addon-kerneloops

Run the following command to determine if the abrt-addon-kerneloops package is installed:
$ rpm -q abrt-addon-kerneloops
      Is it the case that the package is installed?

$ sudo yum erase abrt-cli

Run the following command to determine if the abrt-cli package is installed:
$ rpm -q abrt-cli
      Is it the case that the package is installed?

$ sudo yum erase abrt-plugin-sosreport

Run the following command to determine if the abrt-plugin-sosreport package is installed:
$ rpm -q abrt-plugin-sosreport
      Is it the case that the package is installed?

$ sudo yum erase abrt

Run the following command to determine if the abrt package is installed:
$ rpm -q abrt
      Is it the case that the package is installed?

$ sudo yum install aide

Run the following command to determine if the aide package is installed: 
$ rpm -q aide
      Is it the case that the package is not installed?

Run the following command to determine if the audit package is installed: 
$ rpm -q audit
      Is it the case that the audit package is not installed?

$ sudo yum install fapolicyd

Run the following command to determine if the fapolicyd package is installed: 
$ rpm -q fapolicyd
      Is it the case that the fapolicyd package is not installed?

$ sudo yum install firewalld

Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
      Is it the case that the package is not installed?

$ sudo yum erase gssproxy

Run the following command to determine if the gssproxy package is installed:
$ rpm -q gssproxy
      Is it the case that the package is installed?

$ sudo yum erase iprutils

Run the following command to determine if the iprutils package is installed:
$ rpm -q iprutils
      Is it the case that the package is installed?

$ sudo yum erase krb5-server

Run the following command to determine if the krb5-server package is installed: 
$ rpm -q krb5-server
      Is it the case that the package is installed?

$ sudo yum erase krb5-workstation

Run the following command to determine if the krb5-workstation package is installed:
$ rpm -q krb5-workstation
      Is it the case that the package is installed?

$ sudo yum erase libreport-plugin-logger

Run the following command to determine if the libreport-plugin-logger package is installed:
$ rpm -q libreport-plugin-logger
      Is it the case that the package is installed?

$ sudo yum erase libreport-plugin-rhtsupport

Run the following command to determine if the libreport-plugin-rhtsupport package is installed:
$ rpm -q libreport-plugin-rhtsupport
      Is it the case that the package is installed?

$ sudo yum install mailx

Run the following command to determine if the mailx package is installed: 
$ rpm -q mailx
      Is it the case that the package is not installed?

$ sudo yum install opensc

Run the following command to determine if the opensc package is installed: 
$ rpm -q opensc
      Is it the case that the package is not installed?

$ sudo yum install openssh-server

Run the following command to determine if the openssh-server package is installed: 
$ rpm -q openssh-server
      Is it the case that the package is not installed?

$ sudo yum install policycoreutils

Run the following command to determine if the policycoreutils package is installed: 
$ rpm -q policycoreutils
      Is it the case that the policycoreutils package is not installed?

$ sudo yum install postfix

Run the following command to determine if the postfix package is installed: 
$ rpm -q postfix
      Is it the case that the package is not installed?

$ sudo yum erase python3-abrt-addon

Run the following command to determine if the python3-abrt-addon package is installed:
$ rpm -q python3-abrt-addon
      Is it the case that the package is installed?

$ sudo yum install rng-tools

Run the following command to determine if the rng-tools package is installed: 
$ rpm -q rng-tools
      Is it the case that the package is not installed?

$ sudo yum install rsyslog-gnutls

Run the following command to determine if the rsyslog-gnutls package is installed:
$ rpm -q rsyslog-gnutls
      Is it the case that the package is installed?

 $ sudo yum install rsyslog

Run the following command to determine if the rsyslog package is installed: 
$ rpm -q rsyslog
      Is it the case that the package is not installed?

$ sudo yum erase sendmail

Run the following command to determine if the sendmail package is installed:
$ rpm -q sendmail
      Is it the case that the package is installed?

$ sudo yum erase telnet-server

Run the following command to determine if the telnet-server package is installed:
$ rpm -q telnet-server
      Is it the case that the package is installed?

 $ sudo yum erase tftp-server

Run the following command to determine if the tftp-server package is installed:
$ rpm -q tftp-server
      Is it the case that the package is installed?

$ sudo yum erase tuned

Run the following command to determine if the tuned package is installed:
$ rpm -q tuned
      Is it the case that the package is installed?

$ sudo yum install usbguard

Run the following command to determine if the usbguard package is installed: 
$ rpm -q usbguard
      Is it the case that the package is not installed?

 $ sudo yum erase vsftpd

Run the following command to determine if the vsftpd package is installed:
$ rpm -q vsftpd
      Is it the case that the package is installed?

Verify that a separate file system/partition has been created for /home with the following command:

$ mountpoint /home

      Is it the case that "/home is not a mountpoint" is returned?

Verify that a separate file system/partition has been created for /tmp with the following command:

$ mountpoint /tmp

      Is it the case that "/tmp is not a mountpoint" is returned?

Verify that a separate file system/partition has been created for /var with the following command:

$ mountpoint /var

      Is it the case that "/var is not a mountpoint" is returned?

Verify that a separate file system/partition has been created for /var/log with the following command:

$ mountpoint /var/log

      Is it the case that "/var/log is not a mountpoint" is returned?

Verify that a separate file system/partition has been created for /var/log/audit with the following command:

$ mountpoint /var/log/audit

      Is it the case that "/var/log/audit is not a mountpoint" is returned?

Verify that a separate file system/partition has been created for /var/tmp with the following command:

$ mountpoint /var/tmp

      Is it the case that "/var/tmp is not a mountpoint" is returned?

$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root

Find the list of alias maps used by the Postfix mail server:
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the postmaster user:
$ sudo postmap -q postmaster hash:/etc/aliases
The output should return root.
      Is it the case that the alias is not set or is not root?

/etc/postfix/main.cf

$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying,
run the following command:
$ sudo postconf -n smtpd_client_restrictions
      Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"?

To check if authentication is required for emergency mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/emergency.service
The output should be similar to the following, and the line must begin with
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
    
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Then, check if the emergency target requires the emergency service:
Run the following command:
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
The output should be the following:
Requires=emergency.service

Then, check if there is no custom emergency target configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.target /etc/systemd/system/
The output should be empty.

Then, check if there is no custom emergency service configured in systemd configuration.
Run the following command:
$ sudo grep -r emergency.service /etc/systemd/system/
The output should be empty.
      Is it the case that the output is different?

To check if authentication is required for single-user mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
    
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

In case the output does not match, check if the ExecStart directive is not overridden:
grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
The output should contain two lines:
ExecStart=
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
      Is it the case that the output is different?

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chgrp root FILE

Verify the system-wide shared library files are group-owned by root with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;
      Is it the case that any system wide shared library file is returned and is not group-owned by root?

    C /root/.bash_logout   600 root root - /usr/share/rootfiles/.bash_logout
    C /root/.bash_profile  600 root root - /usr/share/rootfiles/.bash_profile
    C /root/.bashrc        600 root root - /usr/share/rootfiles/.bashrc
    C /root/.cshrc         600 root root - /usr/share/rootfiles/.cshrc
    C /root/.tcshrc        600 root root - /usr/share/rootfiles/.tcshrc

Check the all files from /usr/share/rootfiles/ are overridden correctly.
    $ grep /usr/share/rootfiles/.bash_logout *.conf
    C /root/.bash_logout   600 root root - /usr/share/rootfiles/.bash_logout
    C /root/.bash_profile  600 root root - /usr/share/rootfiles/.bash_profile
    C /root/.bashrc        600 root root - /usr/share/rootfiles/.bashrc
    C /root/.cshrc         600 root root - /usr/share/rootfiles/.cshrc
    C /root/.tcshrc        600 root root - /usr/share/rootfiles/.tcshrc

      Is it the case that that rootfiles are not configured correctly?

cron.*                                                  /var/log/cron

cron.* action(type="omfile" file="/var/log/cron")

Verify that cron is logging to rsyslog,
run the following command:
grep -rni "cron\.\*" /etc/rsyslog.*
cron.*                                                  /var/log/cron
or
cron.* action(type="omfile" file="/var/log/cron")
      Is it the case that cron is not logging to rsyslog?

$ActionSendStreamDriverAuthMode x509/name

action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")

Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command:

$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
The output should be
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
      Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name?

$ActionSendStreamDriverMode 1

action(type="omfwd" ... StreamDriverMode="1")

Verify the operating system encrypts audit records off-loaded onto a different system
or media from the system being audited with the following commands:

$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

The output should be:

/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
      Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1?

$DefaultNetstreamDriver gtls

global(DefaultNetstreamDriver="gtls")

Verify the operating system encrypts audit records off-loaded onto a different system
or media from the system being audited with the following commands:

$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

The output should be:

/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
      Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls?

To verify that remote access methods are logging to rsyslog,
run the following command:

grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.*

The output should contain auth.*, authpriv.*, and daemon.*
pointing to a log file.
      Is it the case that remote access methods are not logging to rsyslog?

*.* @None

*.* action(type="omfwd" ... target="None" protocol="udp")

*.* @@None

*.* action(type="omfwd" ... target="None" protocol="tcp")

*.* :omrelp:None

*.* action(type="omfwd" ... target="None" protocol="relp")

To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
 *.* @None
or
*.* action(type="omfwd" ... target="None" protocol="udp")
If using TCP, a line similar to the following should be present:
 *.* @@None
or
*.* action(type="omfwd" ... target="None" protocol="tcp")
If using RELP, a line similar to the following should be present:
 *.* :omrelp:None
or
*.* action(type="omfwd" ... target="None" protocol="relp")
      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?

$ sudo yum update

Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date.
Updates are required to be applied with a frequency determined by organizational policy.


Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/.
It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.


Check that the available package security updates have been installed on the system with the following command:

$ sudo yum history list | more

Loaded plugins: langpacks, product-id, subscription-manager
ID | Command line | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
70 | install aide | 2020-03-05 10:58 | Install | 1
69 | update -y | 2020-03-04 14:34 | Update | 18 EE
68 | install vlc | 2020-02-21 17:12 | Install | 21
67 | update -y | 2020-02-21 17:04 | Update | 7 EE


Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
      Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy?

sudo visudo -f /etc/sudoers.d/CUSTOM_FILE

%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Verify the operating system elevates the SELinux context when an administrator calls the
sudo command with the following command:



This command must be ran as root:
grep sysadm_r /etc/sudoers.d/*
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

      Is it the case that selinux context does not elevate when running sudo command?

SELINUXTYPE=targeted

Verify the SELINUX on Red Hat Enterprise Linux 8 is using the targeted policy with the following command:

$ sestatus | grep policy

Loaded policy name:             targeted
      Is it the case that the loaded policy name is not "targeted"?

SELINUX=enforcing

fixfiles onboot

Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions.

Check if "SELinux" is active and in "enforcing" mode with the following command:

$ sudo getenforce
enforcing
      Is it the case that SELINUX is not set to enforcing?

$ sudo semanage login -m -s sysadm_u USER

$ sudo semanage login -m -s staff_u USER

$ sudo semanage login -m -s user_u USER

To verify the operating system prevents non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures, run the following
command:
$ sudo semanage login -l
All administrators must be mapped to the sysadm_u or staff_u
users with the appropriate domains (sysadm_t and staff_t).



All authorized non-administrative
users must be mapped to the user_u role or the appropriate domain
(user_t).
      Is it the case that non-admin users are not confined correctly?

$ sudo systemctl enable auditd.service

Run the following command to determine the current status of the
auditd service:
$ sudo systemctl is-active auditd
If the service is running, it should return the following: 
active
      Is it the case that the auditd service is not running?

$ sudo systemctl mask --now autofs.service

To check that the autofs service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled autofs
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled autofs
 disabled

Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active autofs

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the autofs is masked, run the following command:
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "autofs" is loaded and not masked?

$ sudo systemctl mask --now debug-shell.service

To check that the debug-shell service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled debug-shell
Output should indicate the debug-shell service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled debug-shell
 disabled

Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active debug-shell

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the debug-shell is masked, run the following command:
$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "debug-shell" is loaded and not masked?

$ sudo systemctl enable fapolicyd.service

Run the following command to determine the current status of the
fapolicyd service:
$ sudo systemctl is-active fapolicyd
If the service is running, it should return the following: 
active
      Is it the case that the service is not enabled?

$ sudo systemctl enable firewalld.service

Run the following command to determine the current status of the
firewalld service:
$ sudo systemctl is-active firewalld
If the service is running, it should return the following: 
active
      Is it the case that the "firewalld" service is disabled, masked, or not started.?

$ sudo systemctl mask --now kdump.service

To check that the kdump service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled kdump
Output should indicate the kdump service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled kdump
 disabled

Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active kdump

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the kdump is masked, run the following command:
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "kdump" is loaded and not masked?

$ sudo systemctl enable rngd.service

Run the following command to determine the current status of the
rngd service:
$ sudo systemctl is-active rngd
If the service is running, it should return the following: 
active
      Is it the case that the "rngd" service is disabled, masked, or not started.?

$ sudo systemctl enable rsyslog.service

Run the following command to determine the current status of the
rsyslog service:
$ sudo systemctl is-active rsyslog
If the service is running, it should return the following: 
active
      Is it the case that the "rsyslog" service is disabled, masked, or not started.?

$ sudo systemctl enable sshd.service

Run the following command to determine the current status of the
sshd service:
$ sudo systemctl is-active sshd
If the service is running, it should return the following: 
active
      Is it the case that sshd service is disabled?

To verify that acquiring, saving, and processing core dumps is disabled, run the
following command:
$ systemctl status systemd-coredump.socket
The output should be similar to:
● systemd-coredump.socket
   Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
   Active: inactive (dead) ...

      Is it the case that unit systemd-coredump.socket is not masked or running?

$ sudo systemctl enable usbguard.service

Run the following command to determine the current status of the
usbguard service:
$ sudo systemctl is-active usbguard
If the service is running, it should return the following: 
active
      Is it the case that the service is not enabled?

DefaultZone=drop

Inspect the file /etc/firewalld/firewalld.conf to determine
the default zone for the firewalld. It should be set to DefaultZone=drop:
$ sudo grep DefaultZone /etc/firewalld/firewalld.conf
      Is it the case that the default zone is not set to DROP?

ENCRYPT_METHOD SHA512

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.

Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i ENCRYPT_METHOD  /etc/login.defs

ENCRYPT_METHOD SHA512
      Is it the case that ENCRYPT_METHOD is not set to SHA512?

password    sufficient    pam_unix.so sha512 other arguments...

Inspect the password section of /etc/pam.d/password-auth
and ensure that the pam_unix.so module is configured to use the argument
sha512:

$ grep sha512 /etc/pam.d/password-auth
      Is it the case that it does not?

password    sufficient    pam_unix.so sha512 other arguments...

Inspect the password section of /etc/pam.d/system-auth
and ensure that the pam_unix.so module is configured to use the argument
sha512:

$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth

password sufficient pam_unix.so sha512
      Is it the case that "sha512" is missing, or is commented out?

SHA_CRYPT_MIN_ROUNDS 100000
SHA_CRYPT_MAX_ROUNDS 100000

Inspect /etc/login.defs and ensure that if either
SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
are set, they must have the minimum value of 100000.
      Is it the case that it does not?

$ sudo ssh-keygen -n [passphrase]

For each private key stored on the system, use the following command:
$ sudo ssh-keygen -y -f /path/to/file
If the contents of the key are displayed, this is a finding.
      Is it the case that no ssh private key is accessible without a passcode?

PermitEmptyPasswords no

To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

GSSAPIAuthentication no

To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:

$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

KerberosAuthentication no

To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:

$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

PermitRootLogin no

To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

IgnoreUserKnownHosts yes

To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?

X11Forwarding no

To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

PermitUserEnvironment no

To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?

StrictModes yes

To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?

Banner /etc/issue

To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?

PrintLastLog yes

To determine how the SSH daemon's PrintLastLog option is set, run the following command:

$ sudo grep -i PrintLastLog /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?

RekeyLimit 1G 1h

To check if RekeyLimit is set correctly, run the
following command:

$ sudo grep RekeyLimit /etc/ssh/sshd_config

If configured properly, output should be
RekeyLimit 1G 1h
      Is it the case that it is commented out or is not set?

ClientAliveInterval 600

Run the following command to see what the timeout interval is:
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveInterval 600
      Is it the case that it is commented out or not configured properly?

To ensure ClientAliveInterval is set correctly, run the following command:
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveCountMax 
For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when
the ClientAliveInterval is set.  Starting with v8.2, a value of 0 disables the timeout
functionality completely.
If the option is set to a number greater than 0, then the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
      Is it the case that it is commented out or not configured properly?

CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'

Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved
key exchange algorithms are in use, run the following command:
$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config
The output should contain only following algorithms (or a subset) in the exact order:
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
      Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order?

SSH_USE_STRONG_RNG=32

To determine whether the SSH service is configured to use strong entropy seed,
run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
then the option is set correctly.
      Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd?

To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:

$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.
      Is it the case that the display proxy is listening on wildcard address?

Check to see if Online Certificate Status Protocol (OCSP)
is enabled and using the proper digest value on the system with the following command:
$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"
If configured properly, output should look like
    certificate_verification = ocsp_dgst=sha1

      Is it the case that certificate_verification in sssd is not configured?

[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

To verify Certmap is enabled in SSSD, run the following command:
$ sudo cat /etc/sssd/sssd.conf
If configured properly, output should contain section like the following
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

      Is it the case that Certmap is not configured in SSSD?

[pam]
pam_cert_auth = True

/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name

To verify that smart cards are enabled in SSSD, run the following command:
$ sudo grep pam_cert_auth /etc/sssd/sssd.conf
If configured properly, output should be
pam_cert_auth = True


To verify that smart cards are enabled in PAM files, run the following command:
$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth
If configured properly, output should be
/etc/pam.d/smartcard-auth:auth        sufficient                                   pam_sss.so allow_missing_name
/etc/pam.d/system-auth:auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

      Is it the case that smart cards are not enabled in SSSD?

Verify Red Hat Enterprise Linux 8 for PKI-based authentication has valid certificates by constructing a
certification path (which includes status information) to an accepted trust anchor.

Check that the system has a valid DoD root CA installed with the following command:

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Validity
Not Before: Mar 20 18:46:41 2012 GMT
Not After : Dec 30 18:46:41 2029 GMT
Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
      Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location?

$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true

[pam]
offline_credentials_expiration = 1

Check if SSSD allows cached authentications with the following command:
$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true

If "cache_credentials" is set to "false" or is missing no further checks are required.


To verify that SSSD expires offline credentials, run the following command:
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
If configured properly, output should be
offline_credentials_expiration = 1
      Is it the case that it does not exist or is not configured properly?

To determine if !authenticate has not been configured for sudo, run the following command:
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that !authenticate is specified in the sudo config files?

To determine if NOPASSWD has been configured for sudo, run the following command:
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that nopasswd is specified in the sudo config files?

Verify the operating system requires re-authentication
when using the "sudo" command to elevate privileges, run the following command:
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be:
/etc/sudoers:Defaults timestamp_timeout=0
 or "timestamp_timeout" is set to a positive number.
If conflicting results are returned, this is a finding.
      Is it the case that timestamp_timeout is not set with the appropriate value for sudo?

Determine if "sudoers" file restricts sudo access run the following commands:
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
      Is it the case that either of the commands returned a line?

To determine whether sudo command includes configuration files from the appropriate directory,
run the following command:
$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly.
Any other line returned is a finding.
      Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories??

 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 

 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 

 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 

 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 

Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
If no results are returned, this is a finding.
If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
      Is it the case that invoke user passwd when using sudo?

To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command:
sysctl crypto.fips_enabled
The output should contain the following:
crypto.fips_enabled = 1
      Is it the case that crypto.fips_enabled is not 1?

$ sudo sysctl -w fs.protected_hardlinks=1

fs.protected_hardlinks = 1

The runtime status of the fs.protected_hardlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_hardlinks
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w fs.protected_symlinks=1

fs.protected_symlinks = 1

The runtime status of the fs.protected_symlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_symlinks
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.core_pattern=|/bin/false

kernel.core_pattern = |/bin/false

The runtime status of the kernel.core_pattern kernel parameter can be queried
by running the following command:
$ sysctl kernel.core_pattern
|/bin/false.

      Is it the case that the returned line does not have a value of "|/bin/false", or a line is not
returned and the need for core dumps is not documented with the Information
System Security Officer (ISSO) as an operational requirement?

$ sudo sysctl -w kernel.dmesg_restrict=1

kernel.dmesg_restrict = 1

The runtime status of the kernel.dmesg_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.dmesg_restrict
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.kexec_load_disabled=1

kernel.kexec_load_disabled = 1

The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried
by running the following command:
$ sysctl kernel.kexec_load_disabled
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.kptr_restrict=None

kernel.kptr_restrict = None

The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
The output of the command should indicate either:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2
The output of the command should not indicate:
kernel.kptr_restrict = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the 
/etc/sysctl.d
 directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2

Conflicting assignments are not allowed.
      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?

$ sudo sysctl -w kernel.perf_event_paranoid=2

kernel.perf_event_paranoid = 2

The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried
by running the following command:
$ sysctl kernel.perf_event_paranoid
2.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.randomize_va_space=2

kernel.randomize_va_space = 2

The runtime status of the kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_space
2.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

kernel.unprivileged_bpf_disabled = 1

The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried
by running the following command:
$ sysctl kernel.unprivileged_bpf_disabled
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w kernel.yama.ptrace_scope=1

kernel.yama.ptrace_scope = 1

The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried
by running the following command:
$ sysctl kernel.yama.ptrace_scope
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.core.bpf_jit_harden=2

net.core.bpf_jit_harden = 2

The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried
by running the following command:
$ sysctl net.core.bpf_jit_harden
2.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects = 0

The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route = 0

The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.all.forwarding=0

net.ipv4.conf.all.forwarding = 0

The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.rp_filter = 1

The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.rp_filter
The output of the command should indicate either:
net.ipv4.conf.all.rp_filter = 1
or:
net.ipv4.conf.all.rp_filter = 2

The output of the command should not indicate:
net.ipv4.conf.all.rp_filter = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent sysctl parameter configuration is performed by specifying the appropriate
assignment in any file located in the 
/etc/sysctl.d
 directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
net.ipv4.conf.all.rp_filter = 1
or:
net.ipv4.conf.all.rp_filter = 2


Conflicting assignments are not allowed.
      Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0?

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects = 0

The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.send_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.default.accept_redirects = 0

The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route = 0

The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects = 0

The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.send_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts = 1

The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
1.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra = 0

The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_ra
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects = 0

The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route = 0

The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding = 0

The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra = 0

The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_ra
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

net.ipv6.conf.default.accept_redirects = 0

The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route = 0

The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?

$ sudo sysctl -w user.max_user_namespaces=0

user.max_user_namespaces = 0

Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands:

Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.

The runtime status of the user.max_user_namespaces kernel parameter can be queried
by running the following command:
$ sysctl user.max_user_namespaces
0.

      Is it the case that the correct value is not returned?

$ sudo systemctl show tftp | grep ExecStart=
ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e

ExecStart=/usr/sbin/in.tftpd -s None

Use sudo systemctl show tftp to verify that tftp service is using secure mode.
$ sudo systemctl show tftp | grep ExecStart=
ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e


and ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s None
      Is it the case that the ExecStart property of tftp does not contain correctly set -s flag?

Verify the USBGuard has a policy configured with the following command:

$ usbguard list-rules

allow id 1d6b:0001 serial

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.
      Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection?

$ sudo nmcli radio all off

Verify that there are no wireless interfaces configured on the system
with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ nmcli device status
DEVICE          TYPE      STATE         CONNECTION
virbr0          bridge    connected     virbr0
wlp7s0          wifi      connected     wifiSSID
enp6s0          ethernet  disconnected  --
p2p-dev-wlp7s0  wifi-p2p  disconnected  --
lo              loopback  unmanaged     --
virbr0-nic      tun       unmanaged     --
      Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)?

sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland

To ensure the X Windows package group is removed, run the following command:
$ rpm -qi xorg-x11-server-Xorg
$ rpm -qi xorg-x11-server-common
$ rpm -qi xorg-x11-server-utils
$ rpm -qi xorg-x11-server-Xwayland
For each package mentioned above you should receive following line:
package <package> is not installed
      Is it the case that xorg related packages are not removed and run level is not correctly configured?