INACTIVE=
                  
                
              

To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
      

Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so?
      

Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/system-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so
      Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so?
      

If the system does not have SELinux enabled and enforcing a targeted policy, or if the
pam_faillock.so module is not configured for use, this requirement is not applicable.

Verify the location of the non-default tally directory for the pam_faillock.so module with
the following command:

$ sudo grep -w dir /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock
      Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
      

$ sudo chage -E YYYY-MM-DD USER
              

Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?
      

Verify that Red Hat Enterprise Linux 9 contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
      Is it the case that output is produced and the accounts listed are interactive user accounts?
      

$ sudo userdel unauthorized_user
            

To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?
      

CREATE_HOME yes

Verify all local interactive users on Red Hat Enterprise Linux 9 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?
      

FAIL_DELAY 
            

Verify Red Hat Enterprise Linux 9 enforces a delay of at least  seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 
      Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out?
      

* hard maxlogins 
            

Verify Red Hat Enterprise Linux 9 limits the number of concurrent sessions to
"" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?
      

PASS_MAX_DAYS 
              

Verify that Red Hat Enterprise Linux 9 enforces a -day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out?
      

PASS_MIN_DAYS 
              

Verify Red Hat Enterprise Linux 9 enforces 24 hours/one day as the minimum password lifetime for new user accounts.

Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:

$ grep -i pass_min_days /etc/login.defs

PASS_MIN_DAYS 
      Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out?
      

Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?
      

$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Verify that the interactive user account passwords are using a strong
password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
      Is it the case that any interactive user password hash does not begin with "$6"?
      

Verify that Red Hat Enterprise Linux 9 enforces password complexity by requiring that at least one numeric character be used.

Check the value for "dcredit" with the following command:

$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dcredit = 
      Is it the case that the value of "dcredit" is a positive number or is commented out?
      

Verify Red Hat Enterprise Linux 9 prevents the use of dictionary words for passwords with the following command:

$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:dictcheck=1
      Is it the case that "dictcheck" does not have a value other than "0", or is commented out?
      

Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:

$ sudo grep difok /etc/security/pwquality.conf

difok = 
      Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out?
      

Verify that Red Hat Enterprise Linux 9 enforces password complexity rules for the root account.

Check if root user is required to use complex passwords with the following command:

$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:enforce_for_root
      Is it the case that "enforce_for_root" is commented or missing?
      

Verify that Red Hat Enterprise Linux 9 enforces password complexity by requiring that at least one lower-case character.

Check the value for "lcredit" with the following command:

$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

/etc/security/pwquality.conf:lcredit = -1
      Is it the case that the value of "lcredit" is a positive number or is commented out?
      

Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxclassrepeat /etc/security/pwquality.conf

maxclassrepeat = 
      Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out?
      

Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:

$ grep maxrepeat /etc/security/pwquality.conf

maxrepeat = 
      Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out?
      

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:

$ grep minclass /etc/security/pwquality.conf

minclass = 
      Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out?
      

Verify that Red Hat Enterprise Linux 9 enforces a minimum -character password length with the following command:

$ grep minlen /etc/security/pwquality.conf

minlen = 
      Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out?
      

Verify that Red Hat Enterprise Linux 9 enforces password complexity by requiring that at least one special character with the following command:

$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ocredit = 
      Is it the case that value of "ocredit" is a positive number or is commented out?
      

To check if pam_pwquality.so is enabled in password-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/password-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in password-auth?
      

To check if pam_pwquality.so is enabled in system-auth, run the following command:
$ grep pam_pwquality /etc/pam.d/system-auth
The output should be similar to the following:
password requisite pam_pwquality.so
      Is it the case that pam_pwquality.so is not enabled in system-auth?
      

Verify Red Hat Enterprise Linux 9 is configured to limit the "pwquality" retry option to .


Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
$ grep retry /etc/security/pwquality.conf
      Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing?
      

Verify that Red Hat Enterprise Linux 9 enforces password complexity by requiring that at least one upper-case character.

Check the value for "ucredit" with the following command:

$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

ucredit = -1
      Is it the case that the value of "ucredit" is a positive number or is commented out?
      

password sufficient pam_unix.so ...existing_options... rounds=
              

To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds /etc/pam.d/password-auth
The output should show the following match:

password sufficient pam_unix.so sha512 rounds=
      Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out?
      

password sufficient pam_unix.so ...existing_options... rounds=
              

To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds /etc/pam.d/system-auth
The output should show the following match:
password sufficient pam_unix.so sha512 rounds=
      Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out?
      

$ sudo chage -M 
                USER
              

Check whether the maximum time period for existing passwords is restricted to  days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

$ sudo chage -m 1 USER
              

Verify that Red Hat Enterprise Linux 9 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:

$ sudo grep audit /etc/security/faillock.conf

audit
      Is it the case that the "audit" option is not set, is missing or commented out?
      

Verify Red Hat Enterprise Linux 9 is configured to lock an account after 
unsuccessful logon attempts with the command:

$ grep 'deny =' /etc/security/faillock.conf
deny = .
      Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />"
or less (but not "0"), is missing or commented out?
      

Verify Red Hat Enterprise Linux 9 is configured to lock the root account after 
unsuccessful logon attempts with the command:

$ grep even_deny_root /etc/security/faillock.conf
even_deny_root
      Is it the case that the "even_deny_root" option is not set, is missing or commented out?
      

Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.

To ensure the tally directory is configured correctly, run the following command:
$ sudo grep 'dir =' /etc/security/faillock.conf
The output should show that dir is set to something other than "/var/run/faillock"
      Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?
      

To ensure the failed password attempt policy is configured correctly, run the following command:

$ grep fail_interval /etc/security/faillock.conf
The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is  or greater.
      Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />"
or less (but not "0"), the line is commented out, or the line is missing?
      

Verify Red Hat Enterprise Linux 9 is configured to lock an account until released by an administrator
after  unsuccessful logon
attempts with the command:

$ grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = 
      Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />",
the line is missing, or commented out?
      

typeset -xr TMOUT=
            

declare -xr TMOUT=
            

Run the following command to ensure the TMOUT value is configured for all users
on the system:

$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh

The output should return the following:
TMOUT=
      Is it the case that value of TMOUT is not less than or equal to expected setting?
      

umask 
              

Verify the umask setting is configured correctly in the /etc/bashrc file with the following command:

$ sudo grep "umask" /etc/bashrc

umask 
      Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out?
      

umask 
              

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command:

$ grep umask /etc/csh.cshrc

umask 077
umask 077
      Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out?
      

UMASK 
              

Verify Red Hat Enterprise Linux 9 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 
      Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out?
      

umask 
              

Verify the umask setting is configured correctly in the /etc/profile file
or scripts within /etc/profile.d directory with the following command:
$ grep "umask" /etc/profile*
umask 
      Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />",
or the "umask" parameter is missing or is commented out?
      

Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

# grep -ri umask /home/

/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/smithj/.bash_history:grep -i umask /etc/login.defs
      Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"?
      

$ sudo chmod o-w FILE
            

Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?
      

Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?
      

Verify that interactive users on the system have a home directory assigned with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined.
      Is it the case that users home directory is not defined?
      

$ sudo mkdir /home/USER
            

Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?
      

$ sudo /usr/sbin/aide --init

$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

$ sudo /usr/sbin/aide --check

To find the location of the AIDE database file, run the following command:
$ sudo ls -l DBDIR/database_file_name
      Is it the case that there is no database file?
      

Check that AIDE is properly configured to protect the integrity of the
audit tools by running the following command:

# sudo cat /etc/aide.conf | grep /usr/sbin/au

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512


/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512


If AIDE is configured properly to protect the integrity of the audit tools,
all lines listed above will be returned from the command.

If one or more lines are missing, this is a finding.
      Is it the case that integrity checks of the audit tools are missing or incomplete?
      

05 4 * * * root /usr/sbin/aide --check

05 4 * * 0 root /usr/sbin/aide --check

Verify the operating system routinely checks the baseline configuration for unauthorized changes.

To determine that periodic AIDE execution has been scheduled, run the following command:
$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check

NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable.
      Is it the case that AIDE is not configured to scan periodically?
      

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

To determine that periodic AIDE execution has been scheduled, run the following command:

$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
The email address that the notifications are sent to can be changed by overriding
.
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?
      

NORMAL = FIPSR+sha512

To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command:
$ grep sha512 /etc/aide.conf
Verify that the sha512 option is added to the correct ruleset.
      Is it the case that the sha512 option is missing or not added to the correct ruleset?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?
      

-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "init" command with the following command:

$ sudo auditctl -l | grep init

-a always,exit -F path=/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "poweroff" command with the following command:

$ sudo auditctl -l | grep poweroff

-a always,exit -F path=/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "reboot" command with the following command:

$ sudo auditctl -l | grep reboot

-a always,exit -F path=/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "shutdown" command with the following command:

$ sudo auditctl -l | grep shutdown

-a always,exit -F path=/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chmod system call, run the following command:
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chown system call, run the following command:
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmod system call, run the following command:
$ sudo grep "fchmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchown system call, run the following command:
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchownat system call, run the following command:
$ sudo grep "fchownat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
fremovexattr system call, run the following command:
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
fsetxattr system call, run the following command:
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
lremovexattr system call, run the following command:
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
lsetxattr system call, run the following command:
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
removexattr system call, run the following command:
$ sudo grep "removexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod

Verify that Red Hat Enterprise Linux 9 generates an audit record for all uses of the "umount" and system call.
To determine if the system is configured to audit calls to the
"umount" system call, run the following command:
$ sudo grep "umount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line like the following.
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
umount2 system call, run the following command:
$ sudo grep "umount2" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "semanage" command with the following command:

$ sudo auditctl -l | grep semanage

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "setfiles" command with the following command:

$ sudo auditctl -l | grep setfiles

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "setsebool" command with the following command:

$ sudo auditctl -l | grep setsebool

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rename system call, run the following command:
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
renameat system call, run the following command:
$ sudo grep "renameat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
rmdir system call, run the following command:
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlink system call, run the following command:
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

To determine if the system is configured to audit calls to the
unlinkat system call, run the following command:
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-e 2

-e 2

Verify the audit system prevents unauthorized changes with the following command:

$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
-e 2

      Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"?
      

-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
finit_module system call, run the following command:
$ sudo grep "finit_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules

To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-w  -p wa -k logins

-w  -p wa -k logins

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep 

-w  -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /var/log/lastlog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /var/log/tallylog -p wa -k logins

-w /var/log/tallylog -p wa -k logins

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command:

$ sudo auditctl -l | grep /var/log/tallylog

-w /var/log/tallylog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "mount" command with the following command:

$ sudo auditctl -l | grep mount

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "pam_timestamp_check" command with the following command:

$ sudo auditctl -l | grep pam_timestamp_check

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "postdrop" command with the following command:

$ sudo auditctl -l | grep postdrop

-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "postqueue" command with the following command:

$ sudo auditctl -l | grep postqueue

-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "sudoedit" command with the following command:

$ sudo auditctl -l | grep sudoedit

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "umount" command with the following command:

$ sudo auditctl -l | grep umount

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "unix_update" command with the following command:

$ sudo auditctl -l | grep unix_update

-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "userhelper" command with the following command:

$ sudo auditctl -l | grep userhelper

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that Red Hat Enterprise Linux 9 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/sudoers -p wa -k actions

-w /etc/sudoers -p wa -k actions

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command:

$ sudo auditctl -l | grep /etc/sudoers

-w /etc/sudoers -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/sudoers.d/ -p wa -k actions

-w /etc/sudoers.d/ -p wa -k actions

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command:

$ sudo auditctl -l | grep/etc/sudoers.d

-w /etc/sudoers.d/ -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

$ sudo grep execve /etc/audit/audit.rules

$ sudo grep -r execve /etc/audit/rules.d

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

Verify Red Hat Enterprise Linux 9 audits the execution of privileged functions.

Check if Red Hat Enterprise Linux 9 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?
      

-f 
          

-f 
          

To verify that the system will shutdown when auditd fails,
run the following command:
$ sudo grep "\-f " /etc/audit/audit.rules
The output should contain:
-f 
      Is it the case that the system is not configured to shutdown on auditd failures?
      

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the creat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r creat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep creat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the ftruncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r ftruncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep ftruncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the open system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open_by_handle_at /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open_by_handle_at /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the openat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r openat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep openat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify Red Hat Enterprise Linux 9 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/group -p wa -k audit_rules_usergroup_modification

-w /etc/group -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep -E '(/etc/group)'

-w /etc/group -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep -E '(/etc/gshadow)'

-w /etc/gshadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.
      Is it the case that the system is not configured to audit account changes?
      

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'

-w /etc/security/opasswd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:

$  sudo auditctl -l | grep -E '(/etc/passwd)'

-w /etc/passwd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Verify Red Hat Enterprise Linux 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command:

$  sudo auditctl -l | grep -E '(/etc/shadow)'

-w /etc/shadow -p wa -k identity
      Is it the case that command does not return a line, or the line is commented out?
      

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit

To verify whether audispd plugin off-loads audit records onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf

The output should return something similar to where REMOTE_SYSTEM
is an IP address or hostname:
remote_server = REMOTE_SYSTEM

Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command and verify whether it is sufficiently large:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
      Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space?
      

$ sudo service auditd restart

To verify the audispd's syslog plugin is active, run the following command:
$ sudo grep active /etc/audit/plugins.d/syslog.conf
If the plugin is active, the output will show yes.
      Is it the case that it is not activated?
      

disk_error_action = ACTION
          

Verify Red Hat Enterprise Linux 9 takes the appropriate action when an audit processing failure occurs.

Check that Red Hat Enterprise Linux 9 takes the appropriate action when an audit processing failure occurs with the following command:

$ sudo grep disk_error_action /etc/audit/auditd.conf

disk_error_action = HALT

If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.
      Is it the case that there is no evidence of appropriate action?
      

disk_full_action = ACTION
          

Verify Red Hat Enterprise Linux 9 takes the appropriate action when the audit storage volume is full.

Check that Red Hat Enterprise Linux 9 takes the appropriate action when the audit storage volume is full with the following command:

$ sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = 

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
      Is it the case that there is no evidence of appropriate action?
      

action_mail_acct = 
          

Verify that Red Hat Enterprise Linux 9 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = 
      Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?
      

admin_space_left_action = ACTION
          

Verify that Red Hat Enterprise Linux 9 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep admin_space_left_action /etc/audit/auditd.conf

admin_space_left_action = single

If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?
      

admin_space_left = PERCENTAGE%

Verify Red Hat Enterprise Linux 9 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w admin_space_left /etc/audit/auditd.conf

admin_space_left = %

If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity.
      Is it the case that the "admin_space_left" value is not configured to the correct value?
      

max_log_file_action = ACTION
          

• ignore
• syslog
• suspend
• rotate
• keep_logs

Verify Red Hat Enterprise Linux 9 takes the appropriate action when the audit files have reached maximum size.

Check that Red Hat Enterprise Linux 9 takes the appropriate action when the audit files have reached maximum size with the following command:

$ sudo grep max_log_file_action /etc/audit/auditd.conf

max_log_file_action = 
      Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action?
      

space_left_action = ACTION
          

• syslog
• email
• exec
• suspend
• single
• halt

Verify Red Hat Enterprise Linux 9 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = 

If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
      Is it the case that there is no evidence that real-time alerts are configured on the system?
      

space_left = PERCENTAGE%

Verify Red Hat Enterprise Linux 9 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left /etc/audit/auditd.conf

space_left = %
      Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value?
      

To verify that Audit Daemon is configured to flush to disk after
every  records, run the following command:
$ sudo grep freq /etc/audit/auditd.conf
The output should return the following:
freq = 
      Is it the case that freq isn't set to <sub idref="var_auditd_freq" />?
      

To verify that Audit Daemon is configured to include local events, run the
following command:
$ sudo grep local_events /etc/audit/auditd.conf
The output should return the following:
local_events = yes
      Is it the case that local_events isn't set to yes?
      

To verify that Audit Daemon is configured to resolve all uid, gid, syscall,
architecture, and socket address information before writing the event to disk,
run the following command:
$ sudo grep log_format /etc/audit/auditd.conf
The output should return the following:
log_format = ENRICHED
      Is it the case that log_format isn't set to ENRICHED?
      

To verify that Audit Daemon is configured to record the computer node
name in the audit events, run the following command:
$ sudo grep name_format /etc/audit/auditd.conf
The output should return the following:
name_format = 
      Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />?
      

Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audit/auditd.conf

The output should contain overflow_action = syslog

If the value of the "overflow_action" option is not set to syslog,
single, halt or the line is commented out, ask the System Administrator
to indicate how the audit logs are off-loaded to a different system or media.
      Is it the case that auditd overflow action is not set correctly?
      

To verify that Audit Daemon is configured to write logs to the disk, run the
following command:
$ sudo grep write_logs /etc/audit/auditd.conf
The output should return the following:
write_logs = yes
      Is it the case that write_logs isn't set to yes?
      

To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?
      

Verify Red Hat Enterprise Linux 9 disables the chrony daemon from acting as a server with the following command:
$ grep -w port /etc/chrony.conf
port 0
      Is it the case that the "port" option is not set to "0", is commented out, or is missing?
      

Verify Red Hat Enterprise Linux 9 disables network management of the chrony daemon with the following command:
$ grep -w cmdport /etc/chrony.conf
cmdport 0
      Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing?
      

maxpoll 
          

Verify Red Hat Enterprise Linux 9 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf /etc/chrony.d/
server [ntp.server.name] iburst maxpoll .
      Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing?
      

Run the following command and verify that time sources are only configured with server directive:
# grep -E "^(server|pool)" /etc/chrony.conf
A line with the appropriate server should be returned, any line returned starting with pool is a finding.
      Is it the case that an authoritative remote time server is not configured or configured with pool directive?
      

server <remote-server>

Run the following command and verify remote server is configured properly:
# grep -E "^(server|pool)" /etc/chrony.conf
      Is it the case that a remote time server is not configured?
      

Verify Red Hat Enterprise Linux 9 removes all software components after updated versions have been installed.


$ grep clean_requirements_on_remove /etc/dnf/dnf.conf
clean_requirements_on_remove=1
      Is it the case that '"clean_requirements_on_remove" is not set to "1"'?
      

To verify that BIND uses the system crypto policy, check out that the BIND config file
/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config";
directive:
$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf
Verify that the directive is at the bottom of the options section of the config file.
      Is it the case that BIND is installed and the BIND config file doesn't contain the
<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive?
      

$ sudo update-crypto-policies --set 
              

To verify that cryptography policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return .
Run the command to check if the policy is correctly applied:
$ update-crypto-policies --is-applied
The output should be The configured policy is applied.
Moreover, check if settings for selected crypto policy are as expected.
List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends.
$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort
Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory.
$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort
Outputs of two previous commands should match.
      Is it the case that cryptographic policy is not configured or is configured incorrectly?
      

Check that the symlink exists and target the correct Kerberos crypto policy, with the following command:
file /etc/krb5.conf.d/crypto-policies
If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy.
/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
      Is it the case that the symlink does not exist or points to a different target?
      

Verify that the IPSec service uses the system crypto policy.

If the ipsec service is not installed is not applicable.

Check to see if the "IPsec" service is active with the following command:

$ systemctl status ipsec

ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)

If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:

$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf

/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
      Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>?
      

app default {
   ...
   card_drivers = ;
}

Verify that Red Hat Enterprise Linux 9 loads the  driver with the following command:

$ grep card_drivers /etc/opensc.conf

card_drivers = ;
      Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"?
      

To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the
.include = /etc/crypto-policies/back-ends/opensslcnf.config directive:

$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf.
      Is it the case that the OpenSSL config file doesn't contain the whole section,
or the section doesn't contain the <pre>.include = /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive?
      

$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2

$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2

To verify if the OpenSSL uses defined TLS Crypto Policy, run:
$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config
and verify that the value is
TLSv1.2
      Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly?
      

To verify that Linux Audit logging is enabled for the USBGuard daemon,
run the following command:
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
The output should be
AuditBackend=LinuxAudit
      Is it the case that AuditBackend is not set to LinuxAudit?
      

Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo firewall-cmd --state

running

$ sudo firewall-cmd --get-active-zones

[custom]
interfaces: ens33

$ sudo firewall-cmd --info-zone=[custom] | grep target

target: DROP
      Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"?
      

Verify Red Hat Enterprise Linux 9 disables core dump backtraces by issuing the following command:

$ grep -i process /etc/systemd/coredump.conf

ProcessSizeMax=0
      Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
      

Verify Red Hat Enterprise Linux 9 disables storing core dumps for all users by issuing the following command:

$ grep -i storage /etc/systemd/coredump.conf

Storage=none
      Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
      

dconf update

/etc/dconf/db/distro.d

/etc/dconf/db/local.d

In order to be sure that the databases are up-to-date, run the
dconf update
command as the administrator.
      Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles?
      

[org/gnome/login-screen]
banner-message-enable=true

/org/gnome/login-screen/banner-message-enable

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/distro.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/distro.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      

[org/gnome/desktop/media-handling]
automount-open=false

/org/gnome/desktop/media-handling/automount-open

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
      Is it the case that GNOME automounting is not disabled?
      

[org/gnome/desktop/media-handling]
autorun-never=true

/org/gnome/desktop/media-handling/autorun-never

These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
      Is it the case that GNOME autorun is not disabled?
      

[org/gnome/settings-daemon/plugins/media-keys]
logout=['']

/org/gnome/settings-daemon/plugins/media-keys/logout

To ensure the system is configured to ignore the Ctrl-Alt-Del sequence,
run the following command:
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/settings-daemon/plugins/media-keys/logout
      Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed?
      

[org/gnome/login-screen]
disable-restart-buttons=true

/org/gnome/login-screen/disable-restart-buttons

To ensure disable and restart on the login screen are disabled, run the following command:
$ grep disable-restart-buttons /etc/dconf/db/distro.d/*
The output should be true.
To ensure that users cannot enable disable and restart on the login screen, run the following:
$ grep disable-restart-buttons /etc/dconf/db/distro.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons
      Is it the case that disable-restart-buttons has not been configured or is not disabled?
      

[org/gnome/login-screen]
disable-user-list=true

/org/gnome/login-screen/disable-user-list

To ensure the user list is disabled, run the following command:
$ grep disable-user-list /etc/dconf/db/distro.d/*
The output should be true.
To ensure that users cannot enable displaying the user list, run the following:
$ grep disable-user-list /etc/dconf/db/distro.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-list
      Is it the case that disable-user-list has not been configured or is not disabled?
      

[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'

/org/gnome/settings-daemon/peripherals/smartcard/removal-action

To ensure screen locking on smartcard removal is enabled, run the following command:
$ grep removal-action /etc/dconf/db/local.d/*
The output should be 'lock-screen'.
To ensure that users cannot disable screen locking on smartcard removal, run the following:
$ grep removal-action /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action
      Is it the case that removal-action has not been configured?
      

[org/gnome/desktop/session]
idle-delay=uint32 900

To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
      

[org/gnome/desktop/screensaver]
lock-delay=uint32 
              

To check that the screen locks immediately when activated, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 'uint32 '.
      Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />?
      

[org/gnome/desktop/screensaver]
lock-enabled=true

/org/gnome/desktop/screensaver/lock-enabled

To check the status of the idle screen lock activation, run the following command:

$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
      

[org/gnome/desktop/screensaver]
picture-uri=string ''

/org/gnome/desktop/screensaver/picture-uri

To ensure the screensaver is configured to be blank, run the following command:
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''.

To ensure that users cannot set the screensaver background, run the following:
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
      Is it the case that it is not set or configured properly?
      

/org/gnome/desktop/screensaver/lock-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
      Is it the case that GNOME3 session settings are not locked or configured properly?
      

/org/gnome/desktop/session/idle-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chgrp root DIR
              

Verify the system-wide shared library directories are group-owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
      Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chown root DIR
              

Verify the system-wide shared library directories are owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
      Is it the case that any system-wide shared library directory is not owned by root?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chmod go-w DIR
              

Shared libraries are stored in the following directories:
/lib
/lib64
/usr/lib
/usr/lib64

To find shared libraries that are group-writable or world-writable,
run the following command for each directory DIR which contains shared libraries:
$ sudo find -L DIR -perm /022 -type d
      Is it the case that any of these files are group-writable or world-writable?
      

The following command will discover and print world-writable directories that
are not owned by root. Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print
      Is it the case that there are world-writable directories not owned by root?
      

$ sudo chmod +t DIR
            

To find world-writable directories that lack the sticky bit, run the following command:
$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
fixtext: |-
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.

Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:

$ chmod a+t [World-Writable Directory]
srg_requirement:
A sticky bit must be set on all Red Hat Enterprise Linux 9 public directories to prevent unauthorized and unintended information transferred via shared system resources.
      Is it the case that any world-writable directories are missing the sticky bit?
      

/var/log/audit/

$ sudo chgrp root /var/log/audit

Determine the audit log group by running the following command:

$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf

Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified.
Run the following command:

$ sudo find /var/log/audit -type d -printf "%p %g\n"

All listed directories must be owned by the log_group or by root if the log_group is not specified.
      Is it the case that there is a directory owned by different group?
      

/var/log/audit/

$ sudo chown root /var/log/audit 

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Determine the owner of the audit log directory by using the output of the above command
(default: "/var/log/audit/"). Run the following command with the correct audit log directory
path:

$ sudo ls -ld /var/log/audit

drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit

The audit log directory must be owned by "root"
      Is it the case that the directory is not owned by root?
      

CtrlAltDelBurstAction=none

To ensure the system is configured to ignore the Ctrl-Alt-Del setting,
enter the following command:
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
The output should return:
CtrlAltDelBurstAction=none
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.?
      

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
      

HostbasedAuthentication no

To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:

$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

*     hard   core    0

Verify that core dumps are disabled for all users, run the following command:
$ grep core /etc/security/limits.conf
*     hard   core    0
      Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"?
      

$ sudo grep pam_succeed_if /etc/pam.d/sudo

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?
      

session     [default=1]    pam_lastlog.so showfailed

Verify users are provided with feedback on when account accesses last occurred with the following command:

$ sudo grep pam_lastlog /etc/pam.d/postlogin

session [default=1] pam_lastlog.so showfailed
      Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file?
      

Verify that authselect is enabled by running
authselect current
If authselect is enabled on the system, the output should show the ID of the profile which is currently in use.
      Is it the case that authselect is not used to manage user authentication setup on the system?
      

fips-mode-setup --enable

To verify that the Dracut FIPS module is enabled, run the following command:
grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf
The output should look like this:
add_dracutmodules+=" fips "
      Is it the case that the Dracut FIPS module is not enabled?
      

fips-mode-setup --enable

• Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
• Creating /etc/system-fips
• Setting the system crypto policy in /etc/crypto-policies/config to
• Loading the Dracut fips module

To verify that FIPS mode is enabled properly, run the following command:
fips-mode-setup --check
The output should contain the following:
FIPS mode is enabled.
To verify that the cryptographic policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return .
      Is it the case that FIPS mode is not enabled?
      

part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
            

Check the system partitions to determine if they are encrypted with the following command:
blkid

Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"

The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?
      

gpgcheck=1

Verify that dnf verifies the signature of packages from a repository prior to install with the following command:

$ grep gpgcheck /etc/dnf/dnf.conf

gpgcheck=1

If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates that is approved by the organization?
      

Verify that dnf verifies the signature of local packages prior to install with the following command:

$ grep localpkg_gpgcheck /etc/dnf/dnf.conf

localpkg_gpgcheck=1

If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates for local packages that is approved by the organization?
      

gpgcheck=0

To determine whether dnf has been configured to disable
gpgcheck for any repos,  inspect all files in
/etc/yum.repos.d and ensure the following does not appear in any
sections:
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo.
      Is it the case that GPG checking is disabled?
      

$ sudo subscription-manager register

$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

To ensure that the GPG key is installed, run:
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below:
gpg(Red Hat, Inc. (release key 2)  <security@redhat.com>
      Is it the case that the Red Hat GPG Key is not installed?
      

Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the group-owner of each audit tool by running the following command:

$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not group-owned by root?
      

Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification.

Check the owner of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

root /sbin/auditctl
root /sbin/aureport
root /sbin/ausearch
root /sbin/autrace
root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
      Is it the case that any audit tools are not owned by root?
      

Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.

Check the octal permission of each audit tool by running the following command:

$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules
      Is it the case that any of these files have more permissive permissions than 0755?
      

$ sudo chgrp root /etc/group-

To check the group ownership of /etc/group-,
run the command:
$ ls -lL /etc/group-
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/group- does not have a group owner of root?
      

$ sudo chgrp root /etc/gshadow-

To check the group ownership of /etc/gshadow-,
run the command:
$ ls -lL /etc/gshadow-
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/gshadow- does not have a group owner of root?
      

$ sudo chgrp root /etc/passwd-

To check the group ownership of /etc/passwd-,
run the command:
$ ls -lL /etc/passwd-
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/passwd- does not have a group owner of root?
      

$ sudo chgrp root /etc/shadow-

To check the group ownership of /etc/shadow-,
run the command:
$ ls -lL /etc/shadow-
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/shadow- does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.d

To check the group ownership of /etc/cron.d,
run the command:
$ ls -lL /etc/cron.d
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.d does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.daily

To check the group ownership of /etc/cron.daily,
run the command:
$ ls -lL /etc/cron.daily
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.daily does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.deny

To check the group ownership of /etc/cron.deny,
run the command:
$ ls -lL /etc/cron.deny
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.deny does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.hourly

To check the group ownership of /etc/cron.hourly,
run the command:
$ ls -lL /etc/cron.hourly
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.hourly does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.monthly

To check the group ownership of /etc/cron.monthly,
run the command:
$ ls -lL /etc/cron.monthly
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.monthly does not have a group owner of root?
      

$ sudo chgrp root /etc/cron.weekly

To check the group ownership of /etc/cron.weekly,
run the command:
$ ls -lL /etc/cron.weekly
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/cron.weekly does not have a group owner of root?
      

$ sudo chgrp root /etc/crontab

To check the group ownership of /etc/crontab,
run the command:
$ ls -lL /etc/crontab
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/crontab does not have a group owner of root?
      

$ sudo chgrp root /etc/group

To check the group ownership of /etc/group,
run the command:
$ ls -lL /etc/group
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/group does not have a group owner of root?
      

$ sudo chgrp root /etc/gshadow

To check the group ownership of /etc/gshadow,
run the command:
$ ls -lL /etc/gshadow
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/gshadow does not have a group owner of root?
      

$ sudo chgrp root /etc/passwd

To check the group ownership of /etc/passwd,
run the command:
$ ls -lL /etc/passwd
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/passwd does not have a group owner of root?
      

$ sudo chgrp root /etc/shadow

To check the group ownership of /etc/shadow,
run the command:
$ ls -lL /etc/shadow
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/shadow does not have a group owner of root?
      

$ sudo chgrp root /boot/grub2/grub.cfg

To check the group ownership of /boot/grub2/grub.cfg,
run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /boot/grub2/grub.cfg does not have a group owner of root?
      

$ sudo chgrp root /etc/ssh/sshd_config

To check the group ownership of /etc/ssh/sshd_config,
run the command:
$ ls -lL /etc/ssh/sshd_config
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /etc/ssh/sshd_config does not have a group owner of root?
      

$ sudo chgrp root /var/log

To check the group ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /var/log does not have a group owner of root?
      

$ sudo chgrp root /var/log/messages

To check the group ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following group-owner:
root
      Is it the case that /var/log/messages does not have a group owner of root?
      

$ sudo chgrp USER_GROUP /home/USER
            

To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?
      

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

$ sudo chgrp root FILE
              

Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
      Is it the case that any system commands are returned and is not group-owned by a required system account?
      

$ sudo chown root /etc/group- 

To check the ownership of /etc/group-,
run the command:
$ ls -lL /etc/group-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/group- does not have an owner of root?
      

$ sudo chown root /etc/gshadow- 

To check the ownership of /etc/gshadow-,
run the command:
$ ls -lL /etc/gshadow-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/gshadow- does not have an owner of root?
      

$ sudo chown root /etc/passwd- 

To check the ownership of /etc/passwd-,
run the command:
$ ls -lL /etc/passwd-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/passwd- does not have an owner of root?
      

$ sudo chown root /etc/shadow- 

To check the ownership of /etc/shadow-,
run the command:
$ ls -lL /etc/shadow-
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/shadow- does not have an owner of root?
      

$ sudo chown root /etc/cron.d 

To check the ownership of /etc/cron.d,
run the command:
$ ls -lL /etc/cron.d
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.d does not have an owner of root?
      

$ sudo chown root /etc/cron.daily 

To check the ownership of /etc/cron.daily,
run the command:
$ ls -lL /etc/cron.daily
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.daily does not have an owner of root?
      

$ sudo chown root /etc/cron.deny 

To check the ownership of /etc/cron.deny,
run the command:
$ ls -lL /etc/cron.deny
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.deny does not have an owner of root?
      

$ sudo chown root /etc/cron.hourly 

To check the ownership of /etc/cron.hourly,
run the command:
$ ls -lL /etc/cron.hourly
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.hourly does not have an owner of root?
      

$ sudo chown root /etc/cron.monthly 

To check the ownership of /etc/cron.monthly,
run the command:
$ ls -lL /etc/cron.monthly
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.monthly does not have an owner of root?
      

$ sudo chown root /etc/cron.weekly 

To check the ownership of /etc/cron.weekly,
run the command:
$ ls -lL /etc/cron.weekly
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/cron.weekly does not have an owner of root?
      

$ sudo chown root /etc/crontab 

To check the ownership of /etc/crontab,
run the command:
$ ls -lL /etc/crontab
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/crontab does not have an owner of root?
      

$ sudo chown root /etc/group 

To check the ownership of /etc/group,
run the command:
$ ls -lL /etc/group
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/group does not have an owner of root?
      

$ sudo chown root /etc/gshadow 

To check the ownership of /etc/gshadow,
run the command:
$ ls -lL /etc/gshadow
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/gshadow does not have an owner of root?
      

$ sudo chown root /etc/passwd 

To check the ownership of /etc/passwd,
run the command:
$ ls -lL /etc/passwd
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/passwd does not have an owner of root?
      

$ sudo chown root /etc/shadow 

To check the ownership of /etc/shadow,
run the command:
$ ls -lL /etc/shadow
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/shadow does not have an owner of root?
      

$ sudo chown root /boot/grub2/grub.cfg 

To check the ownership of /boot/grub2/grub.cfg,
run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following owner:
root
      Is it the case that /boot/grub2/grub.cfg does not have an owner of root?
      

$ sudo chown root /etc/ssh/sshd_config 

To check the ownership of /etc/ssh/sshd_config,
run the command:
$ ls -lL /etc/ssh/sshd_config
If properly configured, the output should indicate the following owner:
root
      Is it the case that /etc/ssh/sshd_config does not have an owner of root?
      

$ sudo chown root /var/log 

To check the ownership of /var/log,
run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log does not have an owner of root?
      

$ sudo chown root /var/log/messages 

To check the ownership of /var/log/messages,
run the command:
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following owner:
root
      Is it the case that /var/log/messages does not have an owner of root?
      

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

$ sudo chown root FILE
              

Verify the system commands contained in the following directories are owned by "root" with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
      Is it the case that any system commands are found to not be owned by root?