Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R9. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetip-172-31-7-214.ec2.internal
Benchmark URL#scap_org.open-scap_comp_ssg-rhel8-xccdf.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version0.1.67
Profile IDxccdf_org.ssgproject.content_profile_stig
Started at2023-05-08T20:22:30+00:00
Finished at2023-05-08T20:23:02+00:00
Performed byroot
Test systemcpe:/a:redhat:openscap:1.3.6

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.10
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9

Addresses

  • IPv4  127.0.0.1
  • IPv4  172.31.7.214
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:bd:78ff:fec4:22a1
  • MAC  00:00:00:00:00:00
  • MAC  02:BD:78:C4:22:A1

Compliance and Scoring

The target system did not satisfy the conditions of 10 rules! Please review rule results and consider applying remediation.

Rule results

356 passed
10 failed
10 other

Severity of failed rules

0 other
0 low
10 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default94.601830100.000000
94.6%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 10x fail 10x notchecked
System Settings 7x fail 9x notchecked
Installing and Maintaining Software 3x fail 2x notchecked
System and Software Integrity 2x fail
Software Integrity Checking
Verify Integrity with AIDE
Install AIDEmedium
pass
Build and Test AIDE Databasemedium
pass
Configure AIDE to Verify the Audit Toolsmedium
pass
Configure Notification of Post-AIDE Scan Detailsmedium
pass
Configure AIDE to Verify Access Control Lists (ACLs)low
pass
Configure AIDE to Verify Extended Attributeslow
pass
Audit Tools Must Be Group-owned by Rootmedium
pass
Audit Tools Must Be Owned by Rootmedium
pass
Audit Tools Must Have a Mode of 0755 or Less Permissivemedium
pass
Federal Information Processing Standard (FIPS)
Enable Dracut FIPS Modulehigh
pass
Enable FIPS Modehigh
pass
Set kernel parameter 'crypto.fips_enabled' to 1high
pass
System Cryptographic Policies
Configure BIND to use System Crypto Policyhigh
pass
Configure System Cryptography Policyhigh
pass
Configure GnuTLS library to use DoD-approved TLS Encryptionmedium
pass
Configure Kerberos to use System Crypto Policyhigh
pass
Configure Libreswan to use System Crypto Policyhigh
pass
Configure OpenSSL library to use System Crypto Policymedium
pass
Configure OpenSSL library to use TLS Encryptionmedium
pass
Configure SSH to use System Crypto Policymedium
pass
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.confighigh
pass
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configmedium
pass
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.configmedium
pass
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.configmedium
pass
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supportedhigh
pass
Endpoint Protection Software 2x fail
McAfee Endpoint Security Software 2x fail
McAfee Endpoint Security for Linux (ENSL) 2x fail
Install McAfee Endpoint Security for Linux (ENSL)medium
fail
Ensure McAfee Endpoint Security for Linux (ENSL) is runningmedium
fail
Disk Partitioning 1x notchecked
Encrypt Partitionshigh
notchecked
Ensure /home Located On Separate Partitionlow
pass
Ensure /tmp Located On Separate Partitionlow
pass
Ensure /var Located On Separate Partitionlow
pass
Ensure /var/log Located On Separate Partitionlow
pass
Ensure /var/log/audit Located On Separate Partitionlow
pass
Ensure /var/tmp Located On Separate Partitionmedium
pass
GNOME Desktop Environment
Disable the GNOME3 Login User Listmedium
notapplicable
Enable the GNOME3 Screen Locking On Smartcard Removalmedium
notapplicable
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeoutmedium
notapplicable
Set GNOME3 Screensaver Lock Delay After Activation Periodmedium
notapplicable
Enable GNOME3 Screensaver Lock After Idle Periodmedium
notapplicable
Ensure Users Cannot Change GNOME3 Screensaver Settingsmedium
notapplicable
Ensure Users Cannot Change GNOME3 Session Idle Settingsmedium
notapplicable
GNOME System Settings
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3high
notapplicable
Sudo 1x fail
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
fail
Require Re-Authentication When Using the sudo Commandmedium
pass
The operating system must restrict privilege elevation to authorized personnelmedium
pass
Ensure sudo only includes the default configuration directorymedium
pass
Ensure invoking users password for privilege escalation when using sudomedium
pass
System Tooling / Utilities
Install rng-tools Packagelow
pass
Uninstall abrt-addon-ccpp Packagelow
pass
Uninstall abrt-addon-kerneloops Packagelow
pass
Uninstall abrt-cli Packagelow
pass
Uninstall abrt-plugin-sosreport Packagelow
pass
Uninstall gssproxy Packagemedium
pass
Uninstall iprutils Packagemedium
pass
Uninstall krb5-workstation Packagemedium
notapplicable
Uninstall libreport-plugin-logger Packagelow
pass
Uninstall libreport-plugin-rhtsupport Packagelow
pass
Uninstall python3-abrt-addon Packagelow
pass
Uninstall tuned Packagemedium
pass
Updating Software 1x notchecked
Ensure yum Removes Previous Package Versionslow
pass
Ensure gpgcheck Enabled In Main yum Configurationhigh
pass
Ensure gpgcheck Enabled for Local Packageshigh
pass
Ensure gpgcheck Enabled for All yum Package Repositorieshigh
pass
Ensure Red Hat GPG Key Installedhigh
pass
Ensure Software Patches Installed () medium
notchecked
Account and Access Control 2x fail 4x notchecked
Warning Banners for System Accesses
Enable GNOME3 Login Warning Bannermedium
notapplicable
Modify the System Login Bannermedium
pass
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Limit Password Reuse: password-authmedium
pass
Limit Password Reuse: system-authmedium
pass
Account Lockouts Must Be Loggedmedium
pass
Lock Accounts After Failed Password Attemptsmedium
pass
Configure the root Account for Failed Password Attemptsmedium
pass
Lock Accounts Must Persistmedium
pass
Set Interval For Counting Failed Password Attemptsmedium
pass
Do Not Show System Messages When Unsuccessful Logon Attempts Occurmedium
pass
Set Lockout Time for Failed Password Attemptsmedium
pass
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Wordsmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Different Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classmedium
pass
Set Password Maximum Consecutive Repeating Charactersmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Lengthmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Special Charactersmedium
pass
Ensure PAM password complexity module is enabled in password-authmedium
pass
Ensure PAM password complexity module is enabled in system-authmedium
pass
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersmedium
pass
Set Password Hashing Algorithm
Set Password Hashing Algorithm in /etc/login.defsmedium
pass
Set PAM''s Password Hashing Algorithm - password-authmedium
pass
Set PAM''s Password Hashing Algorithmmedium
pass
Set Password Hashing Rounds in /etc/login.defsmedium
pass
Protect Physical Console Access 1x fail
Configure Screen Locking 1x fail
Configure Console Screen Locking 1x fail
Install the tmux Packagemedium
pass
Support session locking with tmux (not enforcing)medium
fail
Configure tmux to lock session after inactivitymedium
pass
Configure the tmux Lock Commandmedium
pass
Configure the tmux lock session key bindinglow
pass
Prevent user from disabling the screen locklow
pass
Install the opensc Package For Multifactor Authenticationmedium
pass
Install Smart Card Packages For Multifactor Authenticationmedium
pass
Disable debug-shell SystemD Servicemedium
pass
Disable Ctrl-Alt-Del Burst Actionhigh
pass
Disable Ctrl-Alt-Del Reboot Activationhigh
pass
Require Authentication for Emergency Systemd Targetmedium
pass
Require Authentication for Single User Modemedium
pass
Protect Accounts by Restricting Password-Based Login 1x fail 2x notchecked
Set Password Expiration Parameters
Set Existing Passwords Maximum Agemedium
pass
Set Existing Passwords Minimum Agemedium
pass
Verify Proper Storage and Existence of Password Hashes
Verify All Account Password Hashes are Shadowed with SHA512medium
pass
Prevent Login to Accounts With Empty Passwordhigh
pass
Restrict Root Logins
Verify Only Root Has UID 0high
pass
Only Authorized Local User Accounts Exist on Operating Systemmedium
fail
Secure Session Configuration Files for Login Accounts 2x notchecked
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctlymedium
pass
Ensure the Default C Shell Umask is Set Correctlymedium
pass
Ensure the Default Umask is Set Correctly in /etc/profilemedium
pass
Ensure the Default Umask is Set Correctly For Interactive Usersmedium
pass
Ensure the Logon Failure Delay is Set Correctly in login.defsmedium
pass
User Initialization Files Must Not Run World-Writable Programsmedium
pass
Ensure that Users Path Contains Only Local Directoriesmedium
notchecked
All Interactive Users Must Have A Home Directory Definedmedium
pass
All Interactive Users Home Directories Must Existmedium
pass
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Groupmedium
pass
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissivemedium
pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupmedium
pass
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivemedium
notchecked
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
pass
Enable authselectmedium
pass
System Accounting with auditd 1x notchecked
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - chownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
pass
Record Execution Attempts to Run ACL Privileged Commands
Record Any Attempts to Run chaclmedium
pass
Record Any Attempts to Run setfaclmedium
pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run chconmedium
pass
Record Any Attempts to Run semanagemedium
pass
Record Any Attempts to Run setfilesmedium
pass
Record Any Attempts to Run setseboolmedium
pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - renamemedium
pass
Ensure auditd Collects File Deletion Events by User - renameatmedium
pass
Ensure auditd Collects File Deletion Events by User - rmdirmedium
pass
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creatmedium
pass
Record Unsuccessful Access Attempts to Files - ftruncatemedium
pass
Record Unsuccessful Access Attempts to Files - openmedium
pass
Record Unsuccessful Access Attempts to Files - open_by_handle_atmedium
pass
Record Unsuccessful Access Attempts to Files - openatmedium
pass
Record Unsuccessful Access Attempts to Files - truncatemedium
pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
pass
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - kmodmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - mountmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
pass
Record Any Attempts to Run ssh-agentmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_updatemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - usermodmedium
pass
Make the auditd Configuration Immutablemedium
pass
Ensure auditd Collects Information on Exporting to Media (successful)medium
pass
Ensure auditd Collects System Administrator Actions - /etc/sudoersmedium
pass
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/medium
pass
Record Events When Privileged Executables Are Runmedium
pass
Record Events that Modify User/Group Information - /etc/groupmedium
pass
Record Events that Modify User/Group Information - /etc/gshadowmedium
pass
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
pass
Record Events that Modify User/Group Information - /etc/passwdmedium
pass
Record Events that Modify User/Group Information - /etc/shadowmedium
pass
System Audit Directories Must Be Group Owned By Rootmedium
pass
System Audit Directories Must Be Owned By Rootmedium
pass
System Audit Logs Must Have Mode 0750 or Less Permissivemedium
pass
System Audit Logs Must Be Group Owned By Rootmedium
pass
System Audit Logs Must Be Owned By Rootmedium
pass
System Audit Logs Must Have Mode 0640 or Less Permissivemedium
pass
Configure auditd Data Retention 1x notchecked
Configure a Sufficiently Large Partition for Audit Logsmedium
notchecked
Configure auditd Disk Error Action on Disk Errormedium
pass
Configure auditd Disk Full Action when Disk Space Is Fullmedium
pass
Configure auditd mail_acct Action on Low Disk Spacemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
pass
Configure auditd space_left on Low Disk Spacemedium
pass
Include Local Events in Audit Logsmedium
pass
Resolve information before writing to audit logslow
pass
Set hostname as computer node name in audit logsmedium
pass
Appropriate Action Must be Setup When the Internal Audit Event Queue is Fullmedium
pass
Ensure the audit Subsystem is Installedmedium
pass
Enable auditd Servicemedium
pass
Enable Auditing for Processes Which Start Prior to the Audit Daemonlow
pass
Extend Audit Backlog Limit for the Audit Daemonlow
pass
GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configuration
Set the Boot Loader Admin Username to a Non-Default Valuehigh
pass
Set Boot Loader Password in grub2high
pass
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Admin Username to a Non-Default Valuemedium
notapplicable
Set the UEFI Boot Loader Passwordhigh
notapplicable
Enable Kernel Page-Table Isolation (KPTI)low
pass
Disable vsyscallsmedium
pass
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure cron Is Logging To Rsyslogmedium
pass
Ensure Rsyslog Authenticates Off-Loaded Audit Recordsmedium
pass
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsmedium
pass
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsmedium
pass
Ensure remote access methods are monitored in Rsyslogmedium
pass
Rsyslog Logs Sent To Remote Host
Ensure Logs Sent To Remote Hostmedium
pass
Ensure rsyslog-gnutls is installedmedium
pass
Ensure rsyslog is Installedmedium
pass
Enable rsyslog Servicemedium
pass
Network Configuration and Firewalls 1x fail 1x notchecked
firewalld 1x notchecked
Inspect and Activate Default firewalld Rules
Install firewalld Packagemedium
pass
Verify firewalld Enabledmedium
pass
Strengthen the Default Ruleset 1x notchecked
Configure the Firewalld Portsmedium
notchecked
IPv6
Configure IPv6 Settings if Necessary
Configure Accepting Router Advertisements on All IPv6 Interfacesmedium
pass
Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
pass
Disable Kernel Parameter for IPv6 Forwardingmedium
pass
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
pass
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
pass
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
pass
Uncommon Network Protocols
Disable ATM Supportmedium
pass
Disable CAN Supportmedium
pass
Disable IEEE 1394 (FireWire) Supportlow
pass
Disable SCTP Supportmedium
pass
Disable TIPC Supportlow
pass
Wireless Networking
Disable Wireless Through Software Configuration
Disable Bluetooth Kernel Modulemedium
pass
Deactivate Wireless Network Interfacesmedium
notapplicable
Configure Multiple DNS Servers in /etc/resolv.confmedium
fail
Ensure System is Not Acting as a Network Sniffermedium
pass
File Permissions and Masks 1x fail
Verify Permissions on Important Files and Directories
Verify Permissions on Files within /var/log Directory
Verify Group Who Owns /var/log Directorymedium
pass
Verify Group Who Owns /var/log/messages Filemedium
pass
Verify User Who Owns /var/log Directorymedium
pass
Verify User Who Owns /var/log/messages Filemedium
pass
Verify Permissions on /var/log Directorymedium
pass
Verify Permissions on /var/log/messages Filemedium
pass
Verify File Permissions Within Some Important Directories
Verify that Shared Library Directories Have Root Group Ownershipmedium
pass
Verify that Shared Library Directories Have Root Ownershipmedium
pass
Verify that Shared Library Directories Have Restrictive Permissionsmedium
pass
Verify that system commands files are group owned by root or a system accountmedium
pass
Verify that System Executables Have Root Ownershipmedium
pass
Verify that Shared Library Files Have Root Ownershipmedium
pass
Verify that System Executables Have Restrictive Permissionsmedium
pass
Verify that Shared Library Files Have Restrictive Permissionsmedium
pass
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.medium
pass
Ensure All World-Writable Directories Are Owned by root usermedium
pass
Verify that All World-Writable Directories Have Sticky Bits Setmedium
pass
Ensure All World-Writable Directories Are Group Owned by a System Accountmedium
pass
Verify Permissions on /etc/audit/auditd.confmedium
pass
Verify Permissions on /etc/audit/rules.d/*.rulesmedium
pass
Ensure All Files Are Owned by a Groupmedium
pass
Ensure All Files Are Owned by a Usermedium
pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable the Automountermedium
pass
Disable Mounting of cramfslow
pass
Disable Modprobe Loading of USB Storage Drivermedium
pass
Restrict Partition Mount Options 1x fail
Add nosuid Option to /boot/efimedium
notapplicable
Add nosuid Option to /bootmedium
pass
Add nodev Option to /dev/shmmedium
pass
Add noexec Option to /dev/shmmedium
pass
Add nosuid Option to /dev/shmmedium
pass
Add noexec Option to /homemedium
pass
Add nosuid Option to /homemedium
pass
Add nodev Option to Non-Root Local Partitionsmedium
pass
Add nodev Option to Removable Media Partitionsmedium
pass
Add noexec Option to Removable Media Partitionsmedium
pass
Add nosuid Option to Removable Media Partitionsmedium
pass
Add nodev Option to /tmpmedium
pass
Add noexec Option to /tmpmedium
fail
Add nosuid Option to /tmpmedium
pass
Add nodev Option to /var/log/auditmedium
pass
Add noexec Option to /var/log/auditmedium
pass
Add nosuid Option to /var/log/auditmedium
pass
Add nodev Option to /var/logmedium
pass
Add noexec Option to /var/logmedium
pass
Add nosuid Option to /var/logmedium
pass
Add nodev Option to /var/tmpmedium
pass
Add noexec Option to /var/tmpmedium
pass
Add nosuid Option to /var/tmpmedium
pass
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable acquiring, saving, and processing core dumpsmedium
pass
Disable core dump backtracesmedium
pass
Disable storing core dumpmedium
pass
Disable Core Dumps for All Usersmedium
pass
Enable ExecShield
Restrict Exposed Kernel Pointer Addresses Accessmedium
pass
Enable Randomized Layout of Virtual Address Spacemedium
pass
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems
Enable NX or XD Support in the BIOSmedium
pass
Memory Poisoning
Enable page allocator poisoningmedium
pass
Enable SLUB/SLAB allocator poisoningmedium
pass
Disable storing core dumpsmedium
pass
Restrict Access to Kernel Message Bufferlow
pass
Disable Kernel Image Loadingmedium
pass
Disallow kernel profiling by unprivileged userslow
pass
Disable Access to Network bpf() Syscall From Unprivileged Processesmedium
pass
Restrict usage of ptrace to descendant processesmedium
pass
Harden the operation of the BPF just-in-time compilermedium
pass
Disable the use of user namespacesmedium
pass
SELinux 1x notchecked
Install policycoreutils Packagelow
pass
Configure SELinux Policymedium
pass
Ensure SELinux State is Enforcinghigh
pass
Services 3x fail 1x notchecked
Base Services
Uninstall Automatic Bug Reporting Tool (abrt)medium
pass
Disable KDump Kernel Crash Analyzer (kdump)medium
pass
Application Whitelisting Daemon 1x fail
Install fapolicyd Packagemedium
pass
Enable the File Access Policy Servicemedium
pass
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.medium
fail
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Packagehigh
pass
Kerberos
Remove the Kerberos Server Packagemedium
notapplicable
Disable Kerberos by removing host keytabmedium
notapplicable
Mail Server Software 1x fail
Configure SMTP For Mail Clients
Configure System to Forward All Mail From Postmaster to The Root Accountmedium
pass
Configure Operating System to Protect Mail Server 1x fail
Configure Postfix if Necessary 1x fail
Control Mail Relaying 1x fail
Prevent Unrestricted Mail Relayingmedium
fail
The Postfix package is installedmedium
pass
Uninstall Sendmail Packagemedium
pass
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with nodevmedium
pass
Mount Remote Filesystems with noexecmedium
pass
Mount Remote Filesystems with nosuidmedium
pass
Network Time Protocol
Disable chrony daemon from acting as serverlow
pass
Disable network management of chrony daemonlow
pass
Configure Time Service Maxpoll Intervalmedium
pass
Ensure Chrony is only configured with the server directivemedium
pass
Obsolete Services
Rlogin, Rsh, and Rexec
Uninstall rsh-server Packagehigh
pass
Remove Host-Based Authentication Fileshigh
pass
Remove User Host-Based Authentication Fileshigh
pass
Telnet
Uninstall telnet-server Packagehigh
pass
TFTP Server
Uninstall tftp-server Packagehigh
pass
Ensure tftp Daemon Uses Secure Modemedium
notapplicable
SSH Server 1x notchecked
Configure OpenSSH Client if Necessary 1x notchecked
Verify the SSH Private Key Files Have a Passcodemedium
notchecked
Configure OpenSSH Server if Necessary
Set SSH Client Alive Count Maxmedium
pass
Disable SSH Access via Empty Passwordshigh
pass
Disable GSSAPI Authenticationmedium
pass
Disable Kerberos Authenticationmedium
pass
Disable SSH Support for User Known Hostsmedium
pass
Disable X11 Forwardingmedium
pass
Do Not Allow SSH Environment Optionsmedium
pass
Enable Use of Strict Mode Checkingmedium
pass
Enable SSH Warning Bannermedium
pass
Enable SSH Print Last Logmedium
pass
Force frequent session key renegotiationmedium
pass
Use Only FIPS 140-2 Validated Key Exchange Algorithmsmedium
pass
SSH server uses strong entropy to seedlow
pass
Prevent remote hosts from connecting to the proxy displaymedium
pass
Install the OpenSSH Server Packagemedium
pass
Enable the OpenSSH Servicemedium
pass
Verify Permissions on SSH Server Private *_key Key Filesmedium
pass
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
System Security Services Daemon 1x fail
Certificate status checking in SSSDmedium
pass
Enable Certmap in SSSDmedium
fail
Enable Smartcards in SSSDmedium
pass
Configure SSSD to Expire Offline Credentialsmedium
pass
USBGuard daemon
Install usbguard Packagemedium
pass
Enable the USBGuard Servicemedium
pass
Log USBGuard daemon audit events using Linux Auditlow
pass
Generate USBGuard Policymedium
pass
X Window System
Disable X Windows
Disable graphical user interfacemedium
pass
Disable X Windows Startup By Setting Default Targetmedium
pass

Result Details

Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4

Install AIDE

Rule IDxccdf_org.ssgproject.content_rule_package_aide_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_aide_installed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80844-4

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Description
The aide package can be installed with the following command: 
$ sudo yum install aide
Rationale
The AIDE package must be installed if it is to be available for integrity checking.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-80675-2

Build and Test AIDE Database

Rule IDxccdf_org.ssgproject.content_rule_aide_build_database
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_build_database:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80675-2

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Description
Run the following command to generate a new database: 
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: 
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command: 
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
Rationale
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64

Testing existence of new aide database file  oval:ssg-test_aide_build_new_database_absolute_path:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/var/lib/aide/aide.db.new.gzregular004246810rw------- 

Testing existence of operational aide database file  oval:ssg-test_aide_operational_database_absolute_path:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/var/lib/aide/aide.db.gzregular004246810rw------- 
Configure AIDE to Verify the Audit Toolsxccdf_org.ssgproject.content_rule_aide_check_audit_tools mediumCCE-85964-5

Configure AIDE to Verify the Audit Tools

Rule IDxccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_check_audit_tools:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85964-5

References:  CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule

Description
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64

auditctl is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512

auditd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditd:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

ausearch is checked in /etc/aide.conf  oval:ssg-test_aide_verify_ausearch:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512

aureport is checked in /etc/aide.conf  oval:ssg-test_aide_verify_aureport:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512

autrace is checked in /etc/aide.conf  oval:ssg-test_aide_verify_autrace:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512

rsyslogd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_rsyslogd:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512

augenrules is checked in /etc/aide.conf  oval:ssg-test_aide_verify_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-82891-3

Configure Notification of Post-AIDE Scan Details

Rule IDxccdf_org.ssgproject.content_rule_aide_scan_notification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_scan_notification:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82891-3

References:  BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r880708_rule

Description
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: 
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
Rationale
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64

notify personnel when aide completes  oval:ssg-test_aide_scan_notification:tst:1  true

Following items have been found on the system:
PathContent
/etc/crontab0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

notify personnel when aide completes  oval:ssg-test_aide_var_cron_notification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1

notify personnel when aide completes in cron.(daily|weekly|monthly)  oval:ssg-test_aide_crontabs_notification:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^/etc/cron.(d|daily|weekly|monthly)$^.*$^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-84220-3

Configure AIDE to Verify Access Control Lists (ACLs)

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_acls
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_acls:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-84220-3

References:  BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r880724_rule

Description
By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
Rationale
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64

acl is set in /etc/aide.conf  oval:ssg-test_aide_verify_acls:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.confEVERYTHING = R+ALLXTRAHASHES+acl+xattrs
/etc/aide.confNORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs
/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs
/etc/aide.confLOG = p+u+g+n+S+acl+selinux+xattrs
/etc/aide.confCONTENT = sha512+ftype+acl+xattrs
/etc/aide.confCONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-83733-6

Configure AIDE to Verify Extended Attributes

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_ext_attributes:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-83733-6

References:  BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule

Description
By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
Rationale
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)14.el8_5.10.160:0.16-14.el8_5.1199e2f91fd431d51aide-0:0.16-14.el8_5.1.x86_64

xattrs is set in /etc/aide.conf  oval:ssg-test_aide_verify_ext_attributes:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.confEVERYTHING = R+ALLXTRAHASHES+acl+xattrs
/etc/aide.confNORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs
/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs
/etc/aide.confLOG = p+u+g+n+S+acl+selinux+xattrs
/etc/aide.confCONTENT = sha512+ftype+acl+xattrs
/etc/aide.confCONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Audit Tools Must Be Group-owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership mediumCCE-86239-1

Audit Tools Must Be Group-owned by Root

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_group_ownership:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86239-1

References:  CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule

Description
Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing group ownership of /sbin/auditctl  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_0:ste:1

Testing group ownership of /sbin/aureport  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_1:ste:1

Testing group ownership of /sbin/ausearch  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_2:ste:1

Testing group ownership of /sbin/autrace  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_3:ste:1

Testing group ownership of /sbin/auditd  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_4:ste:1

Testing group ownership of /sbin/rsyslogd  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_5:ste:1

Testing group ownership of /sbin/augenrules  oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_6:ste:1
Audit Tools Must Be Owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_ownership mediumCCE-86259-9

Audit Tools Must Be Owned by Root

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_ownership
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_ownership:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86259-9

References:  CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule

Description
Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing user ownership of /sbin/auditctl  oval:ssg-test_file_ownerfile_audit_tools_ownership_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_0:ste:1

Testing user ownership of /sbin/aureport  oval:ssg-test_file_ownerfile_audit_tools_ownership_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_1:ste:1

Testing user ownership of /sbin/ausearch  oval:ssg-test_file_ownerfile_audit_tools_ownership_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_2:ste:1

Testing user ownership of /sbin/autrace  oval:ssg-test_file_ownerfile_audit_tools_ownership_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_3:ste:1

Testing user ownership of /sbin/auditd  oval:ssg-test_file_ownerfile_audit_tools_ownership_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_4:ste:1

Testing user ownership of /sbin/rsyslogd  oval:ssg-test_file_ownerfile_audit_tools_ownership_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_5:ste:1

Testing user ownership of /sbin/augenrules  oval:ssg-test_file_ownerfile_audit_tools_ownership_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_6:ste:1
Audit Tools Must Have a Mode of 0755 or Less Permissivexccdf_org.ssgproject.content_rule_file_audit_tools_permissions mediumCCE-86227-6

Audit Tools Must Have a Mode of 0755 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_audit_tools_permissions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_audit_tools_permissions:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86227-6

References:  CCI-001493, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030620, SV-230472r627750_rule

Description
Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have a mode of 0755 or less permissive.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
OVAL test results details

Testing mode of /sbin/auditctl  oval:ssg-test_file_permissionsfile_audit_tools_permissions_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_0:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditctloval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_0_mode_0755or_stricter_:ste:1

Testing mode of /sbin/aureport  oval:ssg-test_file_permissionsfile_audit_tools_permissions_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_1:obj:1 of type file_object
FilepathFilterFilter
/sbin/aureportoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_1_mode_0755or_stricter_:ste:1

Testing mode of /sbin/ausearch  oval:ssg-test_file_permissionsfile_audit_tools_permissions_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_2:obj:1 of type file_object
FilepathFilterFilter
/sbin/ausearchoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_2_mode_0755or_stricter_:ste:1

Testing mode of /sbin/autrace  oval:ssg-test_file_permissionsfile_audit_tools_permissions_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_3:obj:1 of type file_object
FilepathFilterFilter
/sbin/autraceoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_3_mode_0755or_stricter_:ste:1

Testing mode of /sbin/auditd  oval:ssg-test_file_permissionsfile_audit_tools_permissions_4:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_4:obj:1 of type file_object
FilepathFilterFilter
/sbin/auditdoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_4_mode_0755or_stricter_:ste:1

Testing mode of /sbin/rsyslogd  oval:ssg-test_file_permissionsfile_audit_tools_permissions_5:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_5:obj:1 of type file_object
FilepathFilterFilter
/sbin/rsyslogdoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_5_mode_0755or_stricter_:ste:1

Testing mode of /sbin/augenrules  oval:ssg-test_file_permissionsfile_audit_tools_permissions_6:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_6:obj:1 of type file_object
FilepathFilterFilter
/sbin/augenrulesoval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1oval:ssg-state_file_permissionsfile_audit_tools_permissions_6_mode_0755or_stricter_:ste:1
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module highCCE-82155-3

Enable Dracut FIPS Module

Rule IDxccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_dracut_fips_module:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82155-3

References:  CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r877398_rule

Description
To enable FIPS mode, run the following command: 
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

add_dracutmodules contains fips  oval:ssg-test_enable_dracut_fips_module:tst:1  true

Following items have been found on the system:
PathContent
/etc/dracut.conf.d/40-fips.conf add_dracutmodules+=" fips "
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-80942-6

Enable FIPS Mode

Rule IDxccdf_org.ssgproject.content_rule_enable_fips_mode
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_fips_mode:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80942-6

References:  CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r877398_rule

Description
To enable FIPS mode, run the following command: 
fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • Loading the Dracut fips module
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
OVAL test results details

/etc/system-fips exists  oval:ssg-test_etc_system_fips:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/system-fipsregular0036rw-r--r-- 

kernel runtime parameter crypto.fips_enabled set to 1  oval:ssg-test_sysctl_crypto_fips_enabled:tst:1  true

Following items have been found on the system:
NameValue
crypto.fips_enabled1

add_dracutmodules contains fips  oval:ssg-test_enable_dracut_fips_module:tst:1  true

Following items have been found on the system:
PathContent
/etc/dracut.conf.d/40-fips.conf add_dracutmodules+=" fips "

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/configFIPS

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/state/currentFIPS

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_crypto_policies_config_file_timestamp:var:11681836215

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/crypto-policies/back-ends/nss.configsymbolic link0039rwxrwxrwx 

tests if var_system_crypto_policy is set to FIPS  oval:ssg-test_system_crypto_policy_value:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_system_crypto_policy:var:1FIPS

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

Fips mode selected in running kernel opts  oval:ssg-test_grubenv_fips_mode:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvfips=1
Set kernel parameter 'crypto.fips_enabled' to 1xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled highCCE-84027-2

Set kernel parameter 'crypto.fips_enabled' to 1

Rule IDxccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_crypto_fips_enabled:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-84027-2

References:  CCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-002418, CCI-002450, CCI-002890, CCI-003123, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r877398_rule

Description
System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command: 
fips-mode-setup --enable
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

kernel runtime parameter crypto.fips_enabled set to 1  oval:ssg-test_sysctl_crypto_fips_enabled:tst:1  true

Following items have been found on the system:
NameValue
crypto.fips_enabled1
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy highCCE-80934-3

Configure BIND to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_bind_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80934-3

References:  CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190, RHEL-08-010020, SV-230223r877398_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";
Rationale
Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.
OVAL test results details

package bind is removed  oval:ssg-test_package_bind_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object
Name
bind

Check that the configuration includes the policy config file.  oval:ssg-test_configure_bind_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/named.conf^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$1
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0

Configure System Cryptography Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80935-0

References:  164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule

Description
To configure the system cryptography policy to use ciphers only from the FIPS policy, run the following command: 
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/configFIPS

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/state/currentFIPS

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_crypto_policies_config_file_timestamp:var:11681836215

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/crypto-policies/back-ends/nss.configsymbolic link0039rwxrwxrwx 
Configure GnuTLS library to use DoD-approved TLS Encryptionxccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy mediumCCE-84254-2

Configure GnuTLS library to use DoD-approved TLS Encryption

Rule IDxccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_gnutls_tls_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84254-2

References:  CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r877394_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/gnutls.config contains the following line and is not commented out: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
Rationale
Overriding the system crypto policy makes the behavior of the GnuTLS library violate expectations, and makes system configuration more fragmented.
OVAL test results details

tests the presence of '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' setting in the /etc/crypto-policies/back-ends/gnutls.config file  oval:ssg-test_configure_gnutls_tls_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/gnutls.config+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy highCCE-80936-8

Configure Kerberos to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_kerberos_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80936-8

References:  0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r877398_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
Rationale
Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.
OVAL test results details

Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file  oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/FIPS/krb5.txt

Check if kerberos configuration symlink links to the crypto-policy backend file  oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/FIPS/krb5.txt
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy highCCE-80937-6

Configure Libreswan to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_libreswan_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80937-6

References:  CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r877398_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config
Rationale
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
OVAL test results details

package libreswan is installed  oval:ssg-test_package_libreswan_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
Name
libreswan

Check that the libreswan configuration includes the crypto policy config file  oval:ssg-test_configure_libreswan_crypto_policy:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ipsec.conf^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$1
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-80938-4

Configure OpenSSL library to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_openssl_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80938-4

References:  CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010293, SV-230254r877394_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
Rationale
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
OVAL test results details

Check that the configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/pki/tls/openssl.cnf [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config
Configure OpenSSL library to use TLS Encryptionxccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy mediumCCE-84255-9

Configure OpenSSL library to use TLS Encryption

Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_openssl_tls_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84255-9

References:  CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010294, SV-230255r877394_rule

Description
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch this is expected: 
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2
Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected: 
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2
Rationale
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings
warning  This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive. Ensure the variable xccdf_org.ssgproject.content_value_var_system_crypto_policy is set to a Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too.
OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_tls_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/opensslcnf.configTLS.MinProtocol = TLSv1.2

Installed version of crypto-policies is older than 20210617-1  oval:ssg-test_installed_version_of_crypto_policies:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
crypto-policiesnoarch(none)1.gitae470d6.el8202111160:20211116-1.gitae470d6.el8199e2f91fd431d51crypto-policies-0:20211116-1.gitae470d6.el8.noarch

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_dtls_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/opensslcnf.configDTLS.MinProtocol = DTLSv1.2
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-80939-2

Configure SSH to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_ssh_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80939-2

References:  CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
Rationale
Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.
OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_ssh_crypto_policy:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysconfig/sshd^\s*(?i)CRYPTO_POLICY\s*=.*$1
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy highCCE-85902-5

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-85902-5

References:  CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, RHEL-08-010020, SV-230223r877398_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

test the value of Ciphers setting in the /etc/crypto-policies/back-ends/openssh.config file  oval:ssg-test_harden_sshd_ciphers_openssh_conf_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/openssh.configCiphers aes256-ctr,aes192-ctr,aes128-ctr
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy mediumCCE-85897-7

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85897-7

References:  CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010291, SV-230252r877394_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: 
-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

test the value of Ciphers setting in the /etc/crypto-policies/back-ends/opensshserver.config file  oval:ssg-test_harden_sshd_ciphers_opensshserver_conf_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/opensshserver.configCRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.configxccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy mediumCCE-85870-4

Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_macs_openssh_conf_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85870-4

References:  CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010020, SV-230223r877398_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: MACs hmac-sha2-512,hmac-sha2-256
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

test the value of MACs setting in the /etc/crypto-policies/back-ends/openssh.config file  oval:ssg-test_harden_sshd_macs_openssh_conf_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/openssh.configMACs hmac-sha2-512,hmac-sha2-256
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.configxccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy mediumCCE-85899-3

Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

Rule IDxccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85899-3

References:  CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010290, SV-230251r877394_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: -oMACS=hmac-sha2-512,hmac-sha2-256
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

test the value of MACs setting in the /etc/crypto-policies/back-ends/opensshserver.config file  oval:ssg-test_harden_sshd_macs_opensshserver_conf_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/opensshserver.configCRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported highCCE-80947-5

The Installed Operating System Is Vendor Supported

Rule IDxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-installed_OS_is_vendor_supported:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80947-5

References:  18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, RHEL-08-010000, SV-230221r858734_rule

Description
The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches.
Rationale
An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.
Warnings
warning  There is no remediation besides switching to a different operating system.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel9_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 9  oval:ssg-test_rhel9:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 9  oval:ssg-test_rhevh_rhel9_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 8  oval:ssg-test_ol8_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release
Install McAfee Endpoint Security for Linux (ENSL)xccdf_org.ssgproject.content_rule_package_mcafeetp_installed mediumCCE-86260-7

Install McAfee Endpoint Security for Linux (ENSL)

Rule IDxccdf_org.ssgproject.content_rule_package_mcafeetp_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_mcafeetp_installed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86260-7

References:  CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule

Description
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The McAfeeTP package can be installed with the following command: 
$ sudo yum install McAfeeTP
Rationale
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Warnings
warning  Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check.
OVAL test results details

package McAfeeTP is installed  oval:ssg-test_package_McAfeeTP_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_McAfeeTP_installed:obj:1 of type rpminfo_object
Name
McAfeeTP
Ensure McAfee Endpoint Security for Linux (ENSL) is runningxccdf_org.ssgproject.content_rule_agent_mfetpd_running mediumCCE-86261-5

Ensure McAfee Endpoint Security for Linux (ENSL) is running

Rule IDxccdf_org.ssgproject.content_rule_agent_mfetpd_running
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-agent_mfetpd_running:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86261-5

References:  CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule

Description
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.
Rationale
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Warnings
warning  Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check.
OVAL test results details

is mfetpd running  oval:ssg-test_agent_mfetpd_running:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_agent_mfetpd_running:obj:1 of type process58_object
Command linePid
^mfetpd.*$0
Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-80789-1

Encrypt Partitions

Rule IDxccdf_org.ssgproject.content_rule_encrypt_partitions
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80789-1

References:  13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, RHEL-08-010030, SV-230224r809268_rule

Description
Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: 
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening .
Rationale
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Evaluation messages
info  
No candidate or applicable check found.
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_home:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-81044-0

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule

Description
If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale
Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
OVAL test results details

/home on own partition  oval:ssg-testhome_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/RootVG-homeVolb84b8bdc-384f-44ab-ad39-f905bf9d2f2cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958410085249499
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-80851-9

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_tmp:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80851-9

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule

Description
The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
OVAL test results details

/tmp on own partition  oval:ssg-testtmp_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80852-7

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010540, 1.1.3.1, SV-230292r627750_rule

Description
The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.
OVAL test results details

/var on own partition  oval:ssg-testvar_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/dev/mapper/RootVG-varVol42ec74d3-f713-476d-8dc8-45bed6cdf919xfsrwseclabelnodevrelatimeattr2inode64logbufs=8logbsize=32knoquotabind521728185365336363
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-80853-5

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80853-5

References:  BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r627750_rule

Description
System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Placing /var/log in its own partition enables better separation between log files and other files in /var/.
OVAL test results details

/var/log on own partition  oval:ssg-testvar_log_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814504507224
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log_audit:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80854-3

References:  BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule

Description
Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Rationale
Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
OVAL test results details

/var/log/audit on own partition  oval:ssg-testvar_log_audit_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961
Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp mediumCCE-82730-3

Ensure /var/tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_tmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_tmp:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82730-3

References:  BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r743836_rule

Description
The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
OVAL test results details

/var/tmp on own partition  oval:ssg-testvar_tmp_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803
Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list mediumCCE-86195-5

Disable the GNOME3 Login User List

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86195-5

References:  CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, 1.8.3, SV-244536r743857_rule

Description
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example: 
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.
Rationale
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
Enable the GNOME3 Screen Locking On Smartcard Removalxccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal mediumCCE-83910-0

Enable the GNOME3 Screen Locking On Smartcard Removal

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83910-0

References:  CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020050, SV-230351r792899_rule

Description
In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action to 'lock-screen'.

To enable, add or edit removal-action to /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.
Rationale
Locking the screen automatically when removing the smartcard can prevent undesired access to system.
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-80775-0

Set GNOME3 Screensaver Inactivity Timeout

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80775-0

References:  1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020060, SV-230352r646876_rule

Description
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: 
[org/gnome/desktop/session]
idle-delay=uint32 900
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-80776-8

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80776-8

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020031, SV-244535r743854_rule

Description
To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 5 in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
lock-delay=uint32 5
After the settings have been set, run dconf update.
Rationale
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-80777-6

Enable GNOME3 Screensaver Lock After Idle Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80777-6

References:  1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r627750_rule

Description
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
Rationale
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-80780-0

Ensure Users Cannot Change GNOME3 Screensaver Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80780-0

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020080, SV-230354r743990_rule

Description
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-80781-8

Ensure Users Cannot Change GNOME3 Session Idle Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80781-8

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020081, SV-244538r743863_rule

Description
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot highCCE-84028-0

Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-84028-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r646883_rule

Description
By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to '' in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-82202-3

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_remove_no_authenticate:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82202-3

References:  BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r854027_rule

Description
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
OVAL test results details

!authenticate does not exist in /etc/sudoers  oval:ssg-test_no_authenticate_etc_sudoers:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+\!authenticate.*$1

!authenticate does not exist in /etc/sudoers.d  oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d^.*$^(?!#).*[\s]+\!authenticate.*$1
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-82197-5

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_remove_nopasswd:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82197-5

References:  BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r854026_rule

Description
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Warnings
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV requires to perform operations as root without being asked for password.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "NOPASSWD" matches to preserve user data
      sed -i "s/^${entry}$/# &/g" $f
    done <<< "$matching_list"

    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
  fi
done

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-82197-5
  - DISA-STIG-RHEL-08-010380
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd

- name: Remove lines containing NOPASSWD from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
    replace: '# \g<1>'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-82197-5
  - DISA-STIG-RHEL-08-010380
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd
OVAL test results details

NOPASSWD does not exist /etc/sudoers  oval:ssg-test_nopasswd_etc_sudoers:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+NOPASSWD[\s]*\:.*$1

NOPASSWD does not exist in /etc/sudoers.d  oval:ssg-test_nopasswd_etc_sudoers_d:tst:1  false

Following items have been found on the system:
PathContent
/etc/sudoers.d/90-cloud-init-usersmaintuser ALL=(root) NOPASSWD:ALL
Require Re-Authentication When Using the sudo Commandxccdf_org.ssgproject.content_rule_sudo_require_reauthentication mediumCCE-87838-9

Require Re-Authentication When Using the sudo Command

Rule IDxccdf_org.ssgproject.content_rule_sudo_require_reauthentication
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_require_reauthentication:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-87838-9

References:  CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, 5.3.6, SV-237643r861088_rule

Description
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
OVAL test results details

check correct configuration in /etc/sudoers  oval:ssg-test_sudo_timestamp_timeout:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults timestamp_timeout=0
The operating system must restrict privilege elevation to authorized personnelxccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized mediumCCE-83425-9

The operating system must restrict privilege elevation to authorized personnel

Rule IDxccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_restrict_privilege_elevation_to_authorized:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83425-9

References:  CCI-000366, CM-6(b), CM-6(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010382, SV-237641r646893_rule

Description
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Rationale
If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Warnings
warning  This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.
OVAL test results details

Make sure that sudoers has restrictions on which users can run sudo  oval:ssg-test_not_all_users_can_sudo_to_users:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_users:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$1

Make sure that sudoers has restrictions on which users can run sudo  oval:ssg-test_not_all_users_can_sudo_to_group:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_group:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*1
Ensure sudo only includes the default configuration directoryxccdf_org.ssgproject.content_rule_sudoers_default_includedir mediumCCE-86377-9

Ensure sudo only includes the default configuration directory

Rule IDxccdf_org.ssgproject.content_rule_sudoers_default_includedir
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudoers_default_includedir:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86377-9

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010379, SV-251711r833385_rule

Description
Administrators can configure authorized sudo users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, or that no drop-in file is included. Either the /etc/sudoers should contain only one #includedir directive pointing to /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; Or the /etc/sudoers should not contain any #include, @include, #includedir or @includedir directives. Note that the '#' character doesn't denote a comment in the configuration file.
Rationale
Some sudo configurtion options allow users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts.
OVAL test results details

test none sudoers #include or @include  oval:ssg-test_sudoers_without_include:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^[#@]include[\s]+.*$1

test none sudoers #includedir or @includdir  oval:ssg-test_sudoers_without_includedir:tst:1  false

Following items have been found on the system:
PathContent
/etc/sudoers#includedir /etc/sudoers.d

test only one sudoers #includedir  oval:ssg-test_sudoers_default_includedir:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoers#includedir /etc/sudoers.d

test none sudoers #include or @include  oval:ssg-test_sudoers_without_include:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^[#@]include[\s]+.*$1

test none sudoers @includedir  oval:ssg-test_sudoers_without_includedir_new:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include_new:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^@includedir[\s]+.*$1

test none sudoers.d #include, @include, #includedir or @includedir  oval:ssg-test_sudoersd_without_includes:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sudoersd_without_includes:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d/.*^[#@]include(?:dir)?[\s]+.*$1
Ensure invoking users password for privilege escalation when using sudoxccdf_org.ssgproject.content_rule_sudoers_validate_passwd mediumCCE-83422-6

Ensure invoking users password for privilege escalation when using sudo

Rule IDxccdf_org.ssgproject.content_rule_sudoers_validate_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudoers_validate_passwd:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83422-6

References:  CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r880727_rule

Description
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: 
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw
or if cvtsudoers not supported: 
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw
Rationale
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
OVAL test results details

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_targetpw_config:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults !targetpw

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_rootpw_config:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults !rootpw

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_runaspw_config:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults !runaspw

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_targetpw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults targetpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_rootpw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults rootpw$\r?\n1

Ensure invoking user's password for privilege escalation when using sudo  oval:ssg-test_sudoers_runaspw_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_not_defined:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(\.d/.*)?$^Defaults runaspw$\r?\n1
Install rng-tools Packagexccdf_org.ssgproject.content_rule_package_rng-tools_installed lowCCE-82968-9

Install rng-tools Package

Rule IDxccdf_org.ssgproject.content_rule_package_rng-tools_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rng-tools_installed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82968-9

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010472, SV-244527r743830_rule

Description
The rng-tools package can be installed with the following command: 
$ sudo yum install rng-tools
Rationale
rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
OVAL test results details

package rng-tools is installed  oval:ssg-test_package_rng-tools_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rng-toolsx86_64(none)1.el86.150:6.15-1.el8199e2f91fd431d51rng-tools-0:6.15-1.el8.x86_64
Uninstall abrt-addon-ccpp Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed lowCCE-82919-2

Uninstall abrt-addon-ccpp Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-addon-ccpp_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82919-2

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The abrt-addon-ccpp package can be removed with the following command: 
$ sudo yum erase abrt-addon-ccpp
Rationale
abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin.
OVAL test results details

package abrt-addon-ccpp is removed  oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object
Name
abrt-addon-ccpp
Uninstall abrt-addon-kerneloops Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed lowCCE-82926-7

Uninstall abrt-addon-kerneloops Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-addon-kerneloops_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82926-7

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The abrt-addon-kerneloops package can be removed with the following command: 
$ sudo yum erase abrt-addon-kerneloops
Rationale
abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.
OVAL test results details

package abrt-addon-kerneloops is removed  oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object
Name
abrt-addon-kerneloops
Uninstall abrt-cli Packagexccdf_org.ssgproject.content_rule_package_abrt-cli_removed lowCCE-82907-7

Uninstall abrt-cli Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-cli_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-cli_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82907-7

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The abrt-cli package can be removed with the following command: 
$ sudo yum erase abrt-cli
Rationale
abrt-cli contains a command line client for controlling abrt daemon over sockets.
OVAL test results details

package abrt-cli is removed  oval:ssg-test_package_abrt-cli_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object
Name
abrt-cli
Uninstall abrt-plugin-sosreport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed lowCCE-82910-1

Uninstall abrt-plugin-sosreport Package

Rule IDxccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt-plugin-sosreport_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82910-1

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The abrt-plugin-sosreport package can be removed with the following command: 
$ sudo yum erase abrt-plugin-sosreport
Rationale
abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.
OVAL test results details

package abrt-plugin-sosreport is removed  oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object
Name
abrt-plugin-sosreport
Uninstall gssproxy Packagexccdf_org.ssgproject.content_rule_package_gssproxy_removed mediumCCE-82943-2

Uninstall gssproxy Package

Rule IDxccdf_org.ssgproject.content_rule_package_gssproxy_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_gssproxy_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82943-2

References:  CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule

Description
The gssproxy package can be removed with the following command: 
$ sudo yum erase gssproxy
Rationale
gssproxy is a proxy for GSS API credential handling.
Warnings
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV uses NFS storage, which has dependency on gssproxy.
OVAL test results details

package gssproxy is removed  oval:ssg-test_package_gssproxy_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
Name
gssproxy
Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed mediumCCE-82946-5

Uninstall iprutils Package

Rule IDxccdf_org.ssgproject.content_rule_package_iprutils_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_iprutils_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82946-5

References:  CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule

Description
The iprutils package can be removed with the following command: 
$ sudo yum erase iprutils
Rationale
iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.
OVAL test results details

package iprutils is removed  oval:ssg-test_package_iprutils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
Name
iprutils
Uninstall krb5-workstation Packagexccdf_org.ssgproject.content_rule_package_krb5-workstation_removed mediumCCE-82931-7

Uninstall krb5-workstation Package

Rule IDxccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82931-7

References:  CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule

Description
The krb5-workstation package can be removed with the following command: 
$ sudo yum erase krb5-workstation
Rationale
Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd).
Warnings
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV hosts require ipa-client package, which has dependency on krb5-workstation.
Uninstall libreport-plugin-logger Packagexccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed lowCCE-89201-8

Uninstall libreport-plugin-logger Package

Rule IDxccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_libreport-plugin-logger_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-89201-8

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The libreport-plugin-logger package can be removed with the following command: 
$ sudo yum erase libreport-plugin-logger
Rationale
libreport-plugin-logger is a ABRT plugin to report bugs into the Red Hat Support system.
OVAL test results details

package libreport-plugin-logger is removed  oval:ssg-test_package_libreport-plugin-logger_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreport-plugin-logger_removed:obj:1 of type rpminfo_object
Name
libreport-plugin-logger
Uninstall libreport-plugin-rhtsupport Packagexccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed lowCCE-88955-0

Uninstall libreport-plugin-rhtsupport Package

Rule IDxccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_libreport-plugin-rhtsupport_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-88955-0

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The libreport-plugin-rhtsupport package can be removed with the following command: 
$ sudo yum erase libreport-plugin-rhtsupport
Rationale
libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system.
OVAL test results details

package libreport-plugin-rhtsupport is removed  oval:ssg-test_package_libreport-plugin-rhtsupport_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreport-plugin-rhtsupport_removed:obj:1 of type rpminfo_object
Name
libreport-plugin-rhtsupport
Uninstall python3-abrt-addon Packagexccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed lowCCE-86084-1

Uninstall python3-abrt-addon Package

Rule IDxccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_python3-abrt-addon_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-86084-1

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The python3-abrt-addon package can be removed with the following command: 
$ sudo yum erase python3-abrt-addon
Rationale
python3-abrt-addon contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.
OVAL test results details

package python3-abrt-addon is removed  oval:ssg-test_package_python3-abrt-addon_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_python3-abrt-addon_removed:obj:1 of type rpminfo_object
Name
python3-abrt-addon
Uninstall tuned Packagexccdf_org.ssgproject.content_rule_package_tuned_removed mediumCCE-82904-4

Uninstall tuned Package

Rule IDxccdf_org.ssgproject.content_rule_package_tuned_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tuned_removed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82904-4

References:  CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule

Description
The tuned package can be removed with the following command: 
$ sudo yum erase tuned
Rationale
tuned contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage.
Warnings
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV requires tuned package for tuning profiles that can enhance virtualization performance.
OVAL test results details

package tuned is removed  oval:ssg-test_package_tuned_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tuned_removed:obj:1 of type rpminfo_object
Name
tuned
Ensure yum Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-82476-3

Ensure yum Removes Previous Package Versions

Rule IDxccdf_org.ssgproject.content_rule_clean_components_post_updating
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-clean_components_post_updating:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82476-3

References:  18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, RHEL-08-010440, SV-230281r854034_rule

Description
yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf.
Rationale
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
OVAL test results details

check value of clean_requirements_on_remove in /etc/yum.conf  oval:ssg-test_yum_clean_components_post_updating:tst:1  true

Following items have been found on the system:
PathContent
/etc/yum.confclean_requirements_on_remove=True
Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9

Ensure gpgcheck Enabled In Main yum Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_globally_activated:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80790-9

References:  BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010370, 1.2.3, SV-230264r880711_rule

Description
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: 
gpgcheck=1
Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
OVAL test results details

check value of gpgcheck in /etc/yum.conf  oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1  true

Following items have been found on the system:
PathContent
/etc/yum.confgpgcheck=1
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7

Ensure gpgcheck Enabled for Local Packages

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_local_packages:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80791-7

References:  BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r877463_rule

Description
yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
Rationale
Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
OVAL test results details

check value of localpkg_gpgcheck in /etc/yum.conf  oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1  true

Following items have been found on the system:
PathContent
/etc/yum.conflocalpkg_gpgcheck = 1
Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5

Ensure gpgcheck Enabled for All yum Package Repositories

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_never_disabled:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80792-5

References:  BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule

Description
To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
gpgcheck=0
Rationale
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."
OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files  oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/yum.repos.d.*^\s*gpgcheck\s*=\s*0\s*$1
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8

Ensure Red Hat GPG Key Installed

Rule IDxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_redhat_gpgkey_installed:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80795-8

References:  BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, 1.2.2

Description
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: 
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: 
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: 
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Rationale
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

Red Hat release key package is installed  oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)6196a254e96e3db70:e96e3db7-6196a2540gpg-pubkey-0:e96e3db7-6196a254.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey(none)(none)53a9be98de57bfbe0:de57bfbe-53a9be980gpg-pubkey-0:de57bfbe-53a9be98.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5cf7cefb2f86d6a10:2f86d6a1-5cf7cefb0gpg-pubkey-0:2f86d6a1-5cf7cefb.(none)

Red Hat auxiliary key package is installed  oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)6196a254e96e3db70:e96e3db7-6196a2540gpg-pubkey-0:e96e3db7-6196a254.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey(none)(none)53a9be98de57bfbe0:de57bfbe-53a9be980gpg-pubkey-0:de57bfbe-53a9be98.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5cf7cefb2f86d6a10:2f86d6a1-5cf7cefb0gpg-pubkey-0:2f86d6a1-5cf7cefb.(none)

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Check os-release ID  oval:ssg-test_centos8_name:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

Check os-release ID  oval:ssg-test_centos8_name:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Check os-release ID  oval:ssg-test_centos8_name:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

Check os-release ID  oval:ssg-test_centos8_name:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

Check os-release VERSION_ID  oval:ssg-test_centos8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)"$1

CentOS8 key package is installed  oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)6196a254e96e3db70:e96e3db7-6196a2540gpg-pubkey-0:e96e3db7-6196a254.(none)
gpg-pubkey(none)(none)5b32db75d40827920:d4082792-5b32db750gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey(none)(none)53a9be98de57bfbe0:de57bfbe-53a9be980gpg-pubkey-0:de57bfbe-53a9be98.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
gpg-pubkey(none)(none)5cf7cefb2f86d6a10:2f86d6a1-5cf7cefb0gpg-pubkey-0:2f86d6a1-5cf7cefb.(none)
Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date mediumCCE-80865-9

Ensure Software Patches Installed

Rule IDxccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result
notchecked
Multi-check ruleyes
OVAL Definition ID
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80865-9

References:  BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, RHEL-08-010010, 1.9, SV-230222r627750_rule

Description
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Warnings
warning  The OVAL feed of Red Hat Enterprise Linux 8 is not a XML file, which may not be understood by all scanners.
Evaluation messages
info  
None of the check-content-ref elements was resolvable.
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-80768-5

Enable GNOME3 Login Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80768-5

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, 1.8.2, SV-244519r743806_rule

Description
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: 
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-80763-6

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_issue:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80763-6

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010060, 1.7.2, SV-230227r627750_rule

Description
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
OVAL test results details

correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  true

Following items have been found on the system:
PathContent
/etc/issueYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Limit Password Reuse: password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth mediumCCE-83478-8

Limit Password Reuse: password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83478-8

References:  BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-08-020220, 5.5.3, SV-230368r810414_rule

Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: 
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than 5
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
warning  Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files. If a custom profile was created and used in the system before this authselect feature was available, the new feature can't be used with this custom profile and the remediation will fail. In this case, the custom profile should be recreated or manually updated.
OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword requisite pam_pwhistory.so remember=5
/etc/pam.d/password-authpassword required pam_pwhistory.so remember=5

Check remember parameter is present and correct in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pamd:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword required pam_pwhistory.so remember=5

Check the absence of remember parameter in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*remember\s*=\s*([0-9]+)^/etc/security/pwhistory.conf$1

Check remember parameter is absent in /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pamd:tst:1  false

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword required pam_pwhistory.so remember=5

Check remember parameter is present and correct in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*remember\s*=\s*([0-9]+)
^/etc/security/pwhistory.conf$1
Limit Password Reuse: system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth mediumCCE-83480-4

Limit Password Reuse: system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83480-4

References:  BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-08-020221, 5.5.3, SV-251717r858745_rule

Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: 
authselect enable-feature with-pwhistory
Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than 5
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
warning  Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files.
OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword requisite pam_pwhistory.so remember=5
/etc/pam.d/system-authpassword required pam_pwhistory.so remember=5

Check remember parameter is present and correct in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pamd:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword required pam_pwhistory.so remember=5

Check the absence of remember parameter in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^\s*remember\s*=\s*([0-9]+)^/etc/security/pwhistory.conf$1

Check remember parameter is absent in /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd:tst:1  false

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword required pam_pwhistory.so remember=5

Check remember parameter is present and correct in /etc/security/pwhistory.conf  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
5
^\s*remember\s*=\s*([0-9]+)
^/etc/security/pwhistory.conf$1
Account Lockouts Must Be Loggedxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit mediumCCE-86099-9

Account Lockouts Must Be Logged

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_audit:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86099-9

References:  CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, RHEL-08-020021, SV-230343r743981_rule

Description
PAM faillock locks an account due to excessive password failures, this event must be logged.
Rationale
Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
OVAL test results details

Check the presence of audit parameter in system-auth  oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/system-auth1

Check the presence of audit parameter in password-auth  oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/password-auth1

Check the absence of audit parameter in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confaudit
/etc/security/faillock.confaudit

Check the absence of audit parameter in system-auth  oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/system-auth1

Check the absence of audit parameter in password-auth  oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit/etc/pam.d/password-auth1

Check the expected audit value in in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confaudit
/etc/security/faillock.confaudit
Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9

Lock Accounts After Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80667-9

References:  BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020011, 5.4.2, 5.5.2, SV-230333r743966_rule

Description
This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=2 ignore=ignore success=ok] pam_localuser.so auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected deny value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected deny value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of deny parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confdeny = 3

Check the absence of deny parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of deny parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected deny value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confdeny = 3
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80668-7

Configure the root Account for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny_root:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80668-7

References:  BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020022, SV-230344r646874_rule

Description
This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one pattern occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=2 ignore=ignore success=ok] pam_localuser.so auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one pattern occurrence is expected in account section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one pattern occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one pattern occurrence is expected in account section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected even_deny_root parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/system-auth$1

Check the expected even_deny_root parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/password-auth$1

Check the absence of even_deny_root parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confeven_deny_root

Check the absence of even_deny_root parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/system-auth$1

Check the absence of even_deny_root parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root^/etc/pam.d/password-auth$1

Check the expected even_deny_root parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confeven_deny_root
Lock Accounts Must Persistxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir mediumCCE-86067-6

Lock Accounts Must Persist

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_dir:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86067-6

References:  CCI-000044, CCI-002238, AC-7(b), AC-7(a), AC-7.1(ii), SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, RHEL-08-020017, SV-230339r743975_rule

Description
This rule ensures that the system lock out accounts using pam_faillock.so persist after system reboot. From "pam_faillock" man pages: 
Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. In combination with the silent option, user enumeration attacks are also mitigated.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

Check that the expected dir value in system-auth is present both with preauth and authfail  oval:ssg-test_pam_faillock_dir_parameter_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_system_auth:obj:1 of type variable_object
Var ref
oval:ssg-var_faillock_dir_set_both_preauth_authfail_system_auth:var:1

Check that the expected dir value in password-auth is present both with preauth and authfail  oval:ssg-test_pam_faillock_dir_parameter_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_password_auth:obj:1 of type variable_object
Var ref
oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1

Check the absence of dir parameter in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_dir_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confdir = /var/log/faillock

Check the absence of dir parameter in system-auth  oval:ssg-test_pam_faillock_dir_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstanceFilter
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+)
dir\s*=\s*(\S+|"[^"]+)
/etc/pam.d/system-auth1oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1

Check the absence of dir parameter in password-auth  oval:ssg-test_pam_faillock_dir_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstanceFilter
^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+)
dir\s*=\s*(\S+|"[^"]+)
/etc/pam.d/password-auth1oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1

Check the expected dir value in in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_dir_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confdir = /var/log/faillock
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5

Set Interval For Counting Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_interval:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80669-5

References:  BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020012, SV-230334r627750_rule

Description
Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period.
Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=2 ignore=ignore success=ok] pam_localuser.so auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected fail_interval value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected fail_interval value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of fail_interval parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.conffail_interval = 900

Check the absence of fail_interval parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of fail_interval parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected fail_interval value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.conffail_interval = 900
Do Not Show System Messages When Unsuccessful Logon Attempts Occurxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent mediumCCE-87096-4

Do Not Show System Messages When Unsuccessful Logon Attempts Occur

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_silent:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-87096-4

References:  CCI-002238, CCI-000044, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020019, SV-230341r743978_rule

Description
This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
The pam_faillock module without the silent option will leak information about the existence or non-existence of a user account in the system because the failures are not recorded for unknown users. The message about the user account being locked is never displayed for non-existing user accounts allowing the adversary to infer that a particular account exists or not on the system.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

Check the presence of silent parameter in system-auth  oval:ssg-test_pam_faillock_silent_parameter_system_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent

Check the presence of silent parameter in password-auth  oval:ssg-test_pam_faillock_silent_parameter_password_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent

Check the absence of silent parameter in system-auth  oval:ssg-test_pam_faillock_silent_parameter_no_pamd_system:tst:1  false

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent

Check the absence of silent parameter in password-auth  oval:ssg-test_pam_faillock_silent_parameter_no_pamd_password:tst:1  false

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent

Check the expected silent value in in /etc/security/faillock.conf  oval:ssg-test_pam_faillock_silent_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confsilent
/etc/security/faillock.confsilent
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3

Set Lockout Time for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80670-3

References:  BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020016, 5.5.2, SV-230338r627750_rule

Description
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.
Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system supports the new /etc/security/faillock.conf file but the pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter to /etc/security/faillock.conf to ensure compatibility with authselect tool. The parameters deny and fail_interval, if used, also have to be migrated by their respective remediation.
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=2 ignore=ignore success=ok] pam_localuser.so auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected unlock_time value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
0
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected unlock_time value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
0
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of unlock_time parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confunlock_time = 0

Check the absence of unlock_time parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of unlock_time parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected unlock_time value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confunlock_time = 0
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-80653-9

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_dcredit:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80653-9

References:  BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, RHEL-08-020130, SV-230359r858775_rule

Description
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_dcredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confdcredit = -1
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Wordsxccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck mediumCCE-86233-4

Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_dictcheck:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86233-4

References:  CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000480-GPOS-00225, RHEL-08-020300, SV-230377r858789_rule

Description
The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with dictionary words may be more vulnerable to password-guessing attacks.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_dictcheck:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confdictcheck = 1
Ensure PAM Enforces Password Requirements - Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-80654-7

Ensure PAM Enforces Password Requirements - Minimum Different Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_difok
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_difok:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80654-7

References:  1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020170, SV-230363r858783_rule

Description
The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_difok:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confdifok = 8
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-80655-4

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_lcredit:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80655-4

References:  BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, RHEL-08-020120, SV-230358r858773_rule

Description
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_lcredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.conflcredit = -1
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-81034-1

Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_maxclassrepeat:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81034-1

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020140, SV-230360r858777_rule

Description
The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confmaxclassrepeat = 4
Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-82066-2

Set Password Maximum Consecutive Repeating Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_maxrepeat:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82066-2

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020150, SV-230361r858779_rule

Description
The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 3 to prevent a run of (3 + 1) or more identical characters.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confmaxrepeat = 3
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-82046-4

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minclass:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82046-4

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r858781_rule

Description
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: 
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minclass:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confminclass = 4
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2

Ensure PAM Enforces Password Requirements - Minimum Length

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minlen:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80656-2

References:  BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, RHEL-08-020230, 5.5.1, SV-230369r858785_rule

Description
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements.
Rationale
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minlen:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confminlen = 15
Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-80663-8

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_ocredit:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80663-8

References:  BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, RHEL-08-020280, SV-230375r858787_rule

Description
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_ocredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confocredit = -1
Ensure PAM password complexity module is enabled in password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth mediumCCE-85877-9

Ensure PAM password complexity module is enabled in password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwquality_password_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85877-9

References:  CCI-000366, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227, RHEL-08-020100, SV-230356r809379_rule

Description
To enable PAM password complexity in password-auth file: Edit the password section in /etc/pam.d/password-auth to show password requisite pam_pwquality.so.
Rationale
Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwquality_password_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword requisite pam_pwquality.so
Ensure PAM password complexity module is enabled in system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth mediumCCE-85872-0

Ensure PAM password complexity module is enabled in system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwquality_system_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85872-0

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-020101, SV-251713r810407_rule

Description
To enable PAM password complexity in system-auth file: Edit the password section in /etc/pam.d/system-auth to show password requisite pam_pwquality.so.
Rationale
Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwquality_system_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword requisite pam_pwquality.so
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry mediumCCE-80664-6

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_retry:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80664-6

References:  1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.5.1, SV-251716r858737_rule

Description
To configure the number of retry prompts that are permitted per-session: Edit the /etc/security/pwquality.conf to include retry=3, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
Rationale
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confretry = 3
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-80665-3

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_ucredit:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80665-3

References:  BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, RHEL-08-020110, SV-230357r858771_rule

Description
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so local_users_only

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_ucredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confucredit = -1
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-80892-3

Set Password Hashing Algorithm in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_logindefs:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80892-3

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, RHEL-08-010110, 5.5.4, SV-230231r877397_rule

Description
In /etc/login.defs, add or correct the following line to ensure the system will use SHA512 as the hashing algorithm: 
ENCRYPT_METHOD SHA512
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
OVAL test results details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs  oval:ssg-test_etc_login_defs_encrypt_method:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_last_encrypt_method_instance_value:var:1SHA512
Set PAM''s Password Hashing Algorithm - password-authxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth mediumCCE-85945-4

Set PAM''s Password Hashing Algorithm - password-auth

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_passwordauth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85945-4

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010160, 5.5.4, SV-230237r809276_rule

Description
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/password-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: 
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/password-auth for correct settings  oval:ssg-test_pam_unix_passwordauth_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword sufficient pam_unix.so sha512 shadow use_authtok
Set PAM''s Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-80893-1

Set PAM''s Password Hashing Algorithm

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80893-1

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010159, 5.5.4, SV-244524r809331_rule

Description
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: 
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/system-auth for correct settings  oval:ssg-test_pam_unix_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword sufficient pam_unix.so sha512 shadow use_authtok
Set Password Hashing Rounds in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs mediumCCE-89707-4

Set Password Hashing Rounds in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_min_rounds_logindefs:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89707-4

References:  CCI-000196, CCI-000803, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010130, SV-230233r880705_rule

Description
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example: 
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using more hashing rounds makes password cracking attacks more difficult.
OVAL test results details

SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s*1

SHA_CRYPT_MIN_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_present:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_present:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\s*$1

SHA_CRYPT_MAX_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MAX_ROUNDS\s*1

SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value  oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MIN_ROUNDS\s*1

SHA_CRYPT_MAX_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000  oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_present:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_present:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/login.defs^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\s*$1
Install the tmux Packagexccdf_org.ssgproject.content_rule_package_tmux_installed mediumCCE-80644-8

Install the tmux Package

Rule IDxccdf_org.ssgproject.content_rule_package_tmux_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tmux_installed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80644-8

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, CCI-000056, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, RHEL-08-020039, SV-244537r743860_rule

Description
To enable console screen locking, install the tmux package. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Instruct users to begin new terminal sessions with the following command: 
$ tmux
The console can now be locked with the following key combination: 
ctrl+b :lock-session
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The tmux package allows for a session lock to be implemented and configured.
OVAL test results details

package tmux is installed  oval:ssg-test_package_tmux_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
tmuxx86_64(none)1.el82.70:2.7-1.el8199e2f91fd431d51tmux-0:2.7-1.el8.x86_64
Support session locking with tmux (not enforcing)xccdf_org.ssgproject.content_rule_configure_bashrc_tmux mediumCCE-90782-4

Support session locking with tmux (not enforcing)

Rule IDxccdf_org.ssgproject.content_rule_configure_bashrc_tmux
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_bashrc_tmux:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-90782-4

References:  CCI-000056, CCI-000058, SRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020041, SV-230349r880737_rule

Description
The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/.
Rationale
Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
Warnings
warning  This rule configures Tmux to be executed in a way that exiting Tmux drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.

Complexity:low
Disruption:low
Reboot:true
Strategy:enable
# Remediation is applicable only in certain platforms
if rpm --quiet -q tmux; then

if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
    cat >> /etc/profile.d/tmux.sh <<'EOF'
if [ "$PS1" ]; then
  parent=$(ps -o ppid= -p $$)
  name=$(ps -o comm= -p $parent)
  case "$name" in sshd|login) tmux ;; esac
fi
EOF
    chmod 0644 /etc/profile.d/tmux.sh
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90782-4
  - DISA-STIG-RHEL-08-020041
  - configure_bashrc_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
    launch script is present in /etc/bashrc'
  ansible.builtin.find:
    paths: /etc
    patterns: bashrc
    contains: .*case "$name" in sshd|login) tmux ;; esac.*
  register: tmux_in_bashrc
  when: '"tmux" in ansible_facts.packages'
  tags:
  - CCE-90782-4
  - DISA-STIG-RHEL-08-020041
  - configure_bashrc_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
    launch script is present in /etc/profile.d/*.sh'
  ansible.builtin.find:
    paths: /etc/profile.d
    patterns: '*.sh'
    contains: .*case "$name" in sshd|login) tmux ;; esac.*
  register: tmux_in_profile_d
  when: '"tmux" in ansible_facts.packages'
  tags:
  - CCE-90782-4
  - DISA-STIG-RHEL-08-020041
  - configure_bashrc_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux (not enforcing): Insert the correct script
    into /etc/profile.d/tmux.sh'
  ansible.builtin.blockinfile:
    path: /etc/profile.d/tmux.sh
    block: |
      if [ "$PS1" ]; then
        parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent)
        case "$name" in sshd|login) tmux ;; esac
      fi
    create: true
  when:
  - '"tmux" in ansible_facts.packages'
  - tmux_in_bashrc is defined and tmux_in_bashrc.matched == 0
  - tmux_in_profile_d is defined and tmux_in_profile_d.matched == 0
  tags:
  - CCE-90782-4
  - DISA-STIG-RHEL-08-020041
  - configure_bashrc_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
OVAL test results details

check tmux is configured to be launched on the last line of /etc/bashrc  oval:ssg-test_configure_bashrc_tmux:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_configure_bashrc_tmux:obj:1 of type textfilecontent54_object
BehaviorsFilepathPatternInstance
no value^/etc/bashrc$|^/etc/profile\.d/.*$if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) tmux ;; esac\nfi1
Configure tmux to lock session after inactivityxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time mediumCCE-82199-1

Configure tmux to lock session after inactivity

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_tmux_lock_after_time:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82199-1

References:  CCI-000057, CCI-000060, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020070, SV-230353r627750_rule

Description
To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to a value greater than 0 and less than or equal to 900 in /etc/tmux.conf.
Rationale
Locking the session after a period of inactivity limits the potential exposure if the session is left unattended.
OVAL test results details

check lock-after-time is set to 900 in /etc/tmux.conf  oval:ssg-test_configure_tmux_lock_after_time:tst:1  true

Following items have been found on the system:
PathContent
/etc/tmux.confset -g lock-after-time 900

Check /etc/tmux.conf is readable by others  oval:ssg-test_tmux_conf_readable_by_others:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/tmux.confregular0073rw-r--r-- 
Configure the tmux Lock Commandxccdf_org.ssgproject.content_rule_configure_tmux_lock_command mediumCCE-80940-0

Configure the tmux Lock Command

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_command
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_tmux_lock_command:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80940-0

References:  CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r880720_rule

Description
To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf: 
set -g lock-command vlock
. The console can now be locked with the following key combination: 
ctrl+b :lock-session
Rationale
The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.
OVAL test results details

check lock-command is set to vlock in /etc/tmux.conf  oval:ssg-test_configure_tmux_lock_command:tst:1  true

Following items have been found on the system:
PathContent
/etc/tmux.confset -g lock-command vlock

Check /etc/tmux.conf is readable by others  oval:ssg-test_tmux_conf_readable_by_others:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/tmux.confregular0073rw-r--r-- 
Configure the tmux lock session key bindingxccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding lowCCE-86135-1

Configure the tmux lock session key binding

Rule IDxccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_tmux_lock_keybinding:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-86135-1

References:  CCI-000056, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r880720_rule

Description
To set a key binding for the screen locking in tmux terminal multiplexer, the session-lock command must be bound to a key. Add the following line to /etc/tmux.conf: 
bind X lock-session
. The console can now be locked with the following key combination: 
Ctrl+b Shift+x
Rationale
The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.
OVAL test results details

check lock-sessin is bound to a key in /etc/tmux.conf  oval:ssg-test_configure_tmux_lock_keybinding:tst:1  true

Following items have been found on the system:
PathContent
/etc/tmux.confbind X lock-session

Check /etc/tmux.conf is readable by others  oval:ssg-test_tmux_conf_readable_by_others:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/tmux.confregular0073rw-r--r-- 
Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells lowCCE-82361-7

Prevent user from disabling the screen lock

Rule IDxccdf_org.ssgproject.content_rule_no_tmux_in_shells
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_tmux_in_shells:def:1
Time2023-05-08T20:22:30+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82361-7

References:  CCI-000056, CCI-000058, CM-6, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020042, SV-230350r627750_rule

Description
The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
Rationale
Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.
OVAL test results details

check that tmux is not listed in /etc/shells  oval:ssg-test_no_tmux_in_shells:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_no_tmux_in_shells:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shellstmux\s*$1
Install the opensc Package For Multifactor Authenticationxccdf_org.ssgproject.content_rule_package_opensc_installed mediumCCE-80846-9

Install the opensc Package For Multifactor Authentication

Rule IDxccdf_org.ssgproject.content_rule_package_opensc_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_opensc_installed:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80846-9

References:  CCI-001954, CCI-001953, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, RHEL-08-010410, SV-230275r854030_rule

Description
The opensc package can be installed with the following command: 
$ sudo yum install opensc
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
OVAL test results details

package opensc is installed  oval:ssg-test_package_opensc_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openscx86_64(none)4.el80.20.00:0.20.0-4.el8199e2f91fd431d51opensc-0:0.20.0-4.el8.x86_64
Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages mediumCCE-84029-8

Install Smart Card Packages For Multifactor Authentication

Rule IDxccdf_org.ssgproject.content_rule_install_smartcard_packages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-install_smartcard_packages:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84029-8

References:  CCI-000765, CCI-001948, CCI-001953, CCI-001954, CM-6(a), Req-8.3, SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162, RHEL-08-010390, SV-230273r854028_rule

Description
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The openssl-pkcs11 package can be installed with the following command: 
$ sudo yum install openssl-pkcs11
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
OVAL test results details

package openssl-pkcs11 is installed  oval:ssg-test_package_openssl-pkcs11_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssl-pkcs11x86_64(none)2.el80.4.100:0.4.10-2.el8199e2f91fd431d51openssl-pkcs11-0:0.4.10-2.el8.x86_64
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-80876-6

Disable debug-shell SystemD Service

Rule IDxccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_debug-shell_disabled:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80876-6

References:  3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040180, SV-230532r627750_rule

Description
SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command: 
$ sudo systemctl mask --now debug-shell.service
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
OVAL test results details

package systemd is removed  oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
systemdx86_64(none)68.el8_7.42390:239-68.el8_7.4199e2f91fd431d51systemd-0:239-68.el8_7.4.x86_64

Test that the debug-shell service is not running  oval:ssg-test_service_not_running_debug-shell:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object
UnitProperty
^debug-shell\.(service|socket)$ActiveState

Test that the property LoadState from the service debug-shell is masked  oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type systemdunitproperty_object
UnitProperty
^debug-shell\.(service|socket)$LoadState
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-80784-2

Disable Ctrl-Alt-Del Burst Action

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_ctrlaltdel_burstaction:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80784-2

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040172, SV-230531r627750_rule

Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: 
CtrlAltDelBurstAction=none
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Warnings
warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.
OVAL test results details

check if CtrlAltDelBurstAction is set to none  oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/system.confCtrlAltDelBurstAction=none
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-80785-9

Disable Ctrl-Alt-Del Reboot Activation

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_ctrlaltdel_reboot:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80785-9

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040170, SV-230529r833338_rule

Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: 
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or 
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
OVAL test results details

Disable Ctrl-Alt-Del key sequence override exists  oval:ssg-test_disable_ctrlaltdel_exists:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/systemd/system/ctrl-alt-del.target/dev/null
Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-82186-8

Require Authentication for Emergency Systemd Target

Rule IDxccdf_org.ssgproject.content_rule_require_emergency_target_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_emergency_target_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82186-8

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, 1.4.3, SV-244523r743818_rule

Description
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_emergency_service:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/emergency.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Tests that the systemd emergency.service is in the emergency.target  oval:ssg-test_require_emergency_service_emergency_target:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/emergency.targetRequires=emergency.service

look for emergency.target in /etc/systemd/system  oval:ssg-test_no_custom_emergency_target:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.target$

look for emergency.service in /etc/systemd/system  oval:ssg-test_no_custom_emergency_service:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.service$
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-80855-0

Require Authentication for Single User Mode

Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_singleuser_auth:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80855-0

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, 1.4.3, SV-230236r743928_rule

Description
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_rescue_service:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/rescue.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-82473-0

Set Existing Passwords Maximum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_max_life_existing:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82473-0

References:  CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule

Description
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: 
$ sudo chage -M 60 USER
Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
OVAL test results details

Password maximum lifetime for existing accounts is at least the minimum.  oval:ssg-test_password_max_life_existing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_max_life_existing:obj:1 of type shadow_object
UsernameFilter
.*oval:ssg-filter_no_passwords_or_locked_accounts_max_life:ste:1

Password maximum life entry is at least a defined minimum  oval:ssg-test_password_max_life_existing_minimum:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_max_life_existing:obj:1 of type shadow_object
UsernameFilter
.*oval:ssg-filter_no_passwords_or_locked_accounts_max_life:ste:1
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-82472-2

Set Existing Passwords Minimum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_min_life_existing:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82472-2

References:  CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule

Description
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: 
$ sudo chage -m 1 USER
Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
OVAL test results details

Password minimum lifetime for existing accounts is at least what is defined by policy.  oval:ssg-test_password_min_life_existing:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_min_life_existing:obj:1 of type shadow_object
UsernameFilter
.*oval:ssg-filter_no_passwords_or_locked_accounts_min_life:ste:1

Password minimum life entry is at mosta defined maximum  oval:ssg-test_password_min_life_existing_maximum:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_min_life_existing:obj:1 of type shadow_object
UsernameFilter
.*oval:ssg-filter_no_passwords_or_locked_accounts_min_life:ste:1
Verify All Account Password Hashes are Shadowed with SHA512xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 mediumCCE-83484-6

Verify All Account Password Hashes are Shadowed with SHA512

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_all_shadowed_sha512:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83484-6

References:  CCI-000196, CCI-000803, IA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010120, SV-230232r877397_rule

Description
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: 
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
OVAL test results details

password hashes are shadowed using sha512  oval:ssg-test_accounts_password_all_shadowed_sha512:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_all_shadowed_sha512:obj:1 of type shadow_object
UsernameFilterFilterFilter
.*oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1oval:ssg-state_accounts_password_all_shadowed_has_locked_password:ste:1oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-80841-0

Prevent Login to Accounts With Empty Password

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_empty_passwords:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80841-0

References:  1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, RHEL-08-020331, 5.4.1, SV-244540r743869_rule

Description
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.
Rationale
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.
OVAL test results details

make sure nullok is not used in /etc/pam.d/system-auth  oval:ssg-test_no_empty_passwords:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/pam.d/(system|password)-auth$^[^#]*\bnullok\b.*$1
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-80649-7

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
Time2023-05-08T20:22:30+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80649-7

References:  1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.2.1, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule

Description
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Only Authorized Local User Accounts Exist on Operating Systemxccdf_org.ssgproject.content_rule_accounts_authorized_local_users mediumCCE-85987-6

Only Authorized Local User Accounts Exist on Operating System

Rule IDxccdf_org.ssgproject.content_rule_accounts_authorized_local_users
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_authorized_local_users:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85987-6

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-020320, SV-230379r627750_rule

Description
Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed software groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command: 
$ sudo userdel unauthorized_user
Rationale
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
OVAL test results details

query /etc/passwd  oval:ssg-test_accounts_authorized_local_users:tst:1  false

Following items have been found on the system:
PathContent
/etc/passwdadm:
/etc/passwdpolkitd:
/etc/passwdsssd:
/etc/passwdchrony:
/etc/passwdsshd:
/etc/passwdmaintuser:
/etc/passwdfapolicyd:
/etc/passwdpostfix:
/etc/passwdnobody:
/etc/passwdftp:
/etc/passwdgames:
/etc/passwdoperator:
/etc/passwdmail:
/etc/passwdhalt:
/etc/passwdshutdown:
/etc/passwdsync:
/etc/passwddaemon:
/etc/passwdbin:
/etc/passwdtss:
/etc/passwdsystemd-coredump:
/etc/passwdsystemd-resolve:
/etc/passwdunbound:
/etc/passwdlp:
/etc/passwddbus:
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-81036-6

Ensure the Default Bash Umask is Set Correctly

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_bashrc:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81036-6

References:  BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, Req-8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule

Description
To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: 
umask 077
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:163

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_bashrc:tst:1  true

Following items have been found on the system:
Var refValueValueValueValueValueValueValueValue
oval:ssg-var_etc_bashrc_umask_as_number:var:16363636363636363
Ensure the Default C Shell Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc mediumCCE-81037-4

Ensure the Default C Shell Umask is Set Correctly

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_csh_cshrc:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81037-4

References:  18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, SV-230385r792902_rule

Description
To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: 
umask 077
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:163

Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1  true

Following items have been found on the system:
Var refValueValueValueValueValueValueValueValue
oval:ssg-var_etc_csh_cshrc_umask_as_number:var:16363636363636363
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile mediumCCE-81035-8

Ensure the Default Umask is Set Correctly in /etc/profile

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_profile:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81035-8

References:  BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, Req-8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule

Description
To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 
umask 077
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:163

Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_profile:tst:1  true

Following items have been found on the system:
Var refValueValueValueValueValueValueValueValue
oval:ssg-var_etc_profile_umask_as_number:var:16363636363636363
Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users mediumCCE-84044-7

Ensure the Default Umask is Set Correctly For Interactive Users

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_interactive_users:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84044-7

References:  CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, RHEL-08-020352, SV-230384r858732_rule

Description
Remove the UMASK environment variable from all interactive users initialization files.
Rationale
The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
OVAL test results details

Umask must not be defined in user initialization files  oval:ssg-test_accounts_umask_interactive_users:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type textfilecontent54_object
PathFilenamePatternInstanceFilter
/home/maintuser^\..*^[\s]*umask\s*1oval:ssg-state_accounts_umask_interactive_users_bash_history:ste:1
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay mediumCCE-84037-1

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule IDxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_logon_fail_delay:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84037-1

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, RHEL-08-020310, SV-230378r627750_rule

Description
To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: 
FAIL_DELAY 4
Rationale
Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.
OVAL test results details

check FAIL_DELAY in /etc/login.defs  oval:ssg-test_accounts_logon_fail_delay:tst:1  true

Following items have been found on the system:
PathContent
/etc/login.defsFAIL_DELAY 4
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-84039-7

User Initialization Files Must Not Run World-Writable Programs

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_dot_no_world_writable_programs:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84039-7

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, 6.2.12, SV-230309r627750_rule

Description
Set the mode on files being executed by the user initialization files with the following command: 
$ sudo chmod o-w FILE
Rationale
If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
OVAL test results details

Init files do not execute world-writable programs  oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
BehaviorsPathFilenamePatternInstance
(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)
/home/maintuser
Referenced variable has no values (oval:ssg-var_world_writable_programs_regex:var:1).		no value1
Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only mediumCCE-84040-5

Ensure that Users Path Contains Only Local Directories

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84040-5

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010690, SV-230317r792896_rule

Description
Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
Rationale
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Evaluation messages
info  
No candidate or applicable check found.
All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined mediumCCE-84036-3

All Interactive Users Must Have A Home Directory Defined

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_interactive_home_directory_defined:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84036-3

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010720, SV-230320r627750_rule

Description
Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like /users, /tmp or /.
Rationale
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
OVAL test results details

All Interactive Users Have A Home Directory Defined  oval:ssg-test_accounts_user_interactive_home_directory_defined:tst:1  true

Following items have been found on the system:
UsernamePasswordUser idGroup idGcosHome dirLogin shellLast login
maintuserx10001000Local Maintenance User/home/maintuser/bin/bash0
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-83424-2

All Interactive Users Home Directories Must Exist

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_interactive_home_directory_exists:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83424-2

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule

Description
Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: 
$ sudo mkdir /home/USER
Rationale
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
OVAL test results details

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:11

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:11
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Groupxccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership mediumCCE-86534-5

All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

Rule IDxccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_users_home_files_groupownership:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86534-5

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010741, SV-244532r743845_rule

Description
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: 
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.
Rationale
If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
Warnings
warning  Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of folders or files in their respective home directories.
OVAL test results details

All home directories files are group-owned by a local interactive user  oval:ssg-test_accounts_users_home_files_groupownership:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/maintuser/.bash_logoutregular1000100018rw-r--r-- 
/home/maintuser/.bash_profileregular10001000141rw-r--r-- 
/home/maintuser/.bashrcregular10001000376rw-r--r-- 
/home/maintuser/.ssh/authorized_keysregular10001000752rw------- 
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions mediumCCE-85888-6

All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_users_home_files_permissions:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85888-6

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010731, SV-244531r743842_rule

Description
Set the mode on files and directories in the local interactive user home directory with the following command: 
$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement.
Rationale
If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.
OVAL test results details

All files into home directories have proper permissions  oval:ssg-test_accounts_users_home_files_permissions_files:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/maintuser/.ssh/authorized_keysregular10001000752rw------- 

All directories into home directories have proper permissions  oval:ssg-test_accounts_users_home_files_permissions_dirs:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/maintuser/.ssh/directory1000100029rwx------ 
/home/maintuser/directory1000100074rwx------ 
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-83434-1

All Interactive User Home Directories Must Be Group-Owned By The Primary Group

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_home_directories:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83434-1

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r880717_rule

Description
Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: 
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
Rationale
If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Warnings
warning  Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.
OVAL test results details

All home directories are group-owned by a local interactive group  oval:ssg-test_file_groupownership_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/maintuser/directory1000100074rwx------ 
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files mediumCCE-84043-9

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permission_user_init_files
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84043-9

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010770, SV-230325r627750_rule

Description
Set the mode of the user initialization files to 0740 with the following command: 
$ sudo chmod 0740 /home/USER/.INIT_FILE
Rationale
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Evaluation messages
info  
No candidate or applicable check found.
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-84038-9

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_home_directories:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84038-9

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, 6.2.11, SV-230321r627750_rule

Description
Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: 
$ sudo chmod 0750 /home/USER
Rationale
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
OVAL test results details

All home directories have proper permissions  oval:ssg-test_file_permissions_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/maintuser/directory1000100074rwx------ 
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-88248-0

Enable authselect

Rule IDxccdf_org.ssgproject.content_rule_enable_authselect
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_authselect:def:1
Time2023-05-08T20:22:30+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88248-0

References:  BP28(R5), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3

Description
Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile.
Rationale
Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases.
Warnings
warning  If the sudo authselect select command returns an error informing that the chosen profile cannot be selected, it is probably because PAM files have already been modified by the administrator. If this is the case, in order to not overwrite the desired changes made by the administrator, the current PAM settings should be investigated before forcing the selection of the chosen authselect profile.
OVAL test results details

The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/fingerprint-auth/etc/authselect/fingerprint-auth

The 'password-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_password_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/password-auth/etc/authselect/password-auth

The 'postlogin' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/postlogin/etc/authselect/postlogin

The 'smartcard-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/smartcard-auth/etc/authselect/smartcard-auth

The 'system-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_system_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/system-auth/etc/authselect/system-auth
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-80685-1

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chmod:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80685-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-80686-9

Record Events that Modify the System's Discretionary Access Controls - chown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chown:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80686-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chown  oval:ssg-test_32bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit chown  oval:ssg-test_64bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chown  oval:ssg-test_32bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit chown  oval:ssg-test_64bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-80687-7

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmod:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80687-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-80688-5

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmodat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80688-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-80689-3

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchown:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80689-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-80690-1

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchownat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80690-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-80691-9

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fremovexattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80691-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit fremovexattr auid=0  oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-80692-7

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fsetxattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80692-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit fsetxattr auid=0  oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-80693-5

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lchown:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80693-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-80694-3

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lremovexattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80694-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit lremovexattr auid=0  oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-80695-0

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lsetxattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80695-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit lsetxattr auid=0  oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-80696-8

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_removexattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80696-8

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit removexattr auid=0  oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-80697-6

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_setxattr:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80697-6

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit setxattr auid=0  oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Any Attempts to Run chaclxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl mediumCCE-89446-9

Record Any Attempts to Run chacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chacl:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89446-9

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030570, 4.1.3.17, SV-230464r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chacl  oval:ssg-test_audit_rules_execution_chacl_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chacl  oval:ssg-test_audit_rules_execution_chacl_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run setfaclxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl mediumCCE-88437-9

Record Any Attempts to Run setfacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setfacl:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88437-9

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030330, 4.1.3.16, SV-230435r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setfacl  oval:ssg-test_audit_rules_execution_setfacl_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setfacl  oval:ssg-test_audit_rules_execution_setfacl_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-80698-4

Record Any Attempts to Run chcon

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chcon:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80698-4

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030260, 4.1.3.15, SV-230419r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-80700-8

Record Any Attempts to Run semanage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_semanage:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80700-8

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030313, SV-230429r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules semanage  oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl semanage  oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-82280-9

Record Any Attempts to Run setfiles

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setfiles:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82280-9

References:  CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030314, SV-230430r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setfiles  oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setfiles  oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-80701-6

Record Any Attempts to Run setsebool

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setsebool:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80701-6

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030316, SV-230432r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules setsebool  oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setsebool  oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-80703-2

Ensure auditd Collects File Deletion Events by User - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rename:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80703-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit rename  oval:ssg-test_32bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit rename  oval:ssg-test_64bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rename  oval:ssg-test_32bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit rename  oval:ssg-test_64bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80704-0

Ensure auditd Collects File Deletion Events by User - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_renameat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80704-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-80705-7

Ensure auditd Collects File Deletion Events by User - rmdir

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rmdir:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80705-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, 4.1.14, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-80707-3

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80707-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80751-1

Record Unsuccessful Access Attempts to Files - creat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80751-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80752-9

Record Unsuccessful Access Attempts to Files - ftruncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80752-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80753-7

Record Unsuccessful Access Attempts to Files - open

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80753-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-80755-2

Record Unsuccessful Access Attempts to Files - open_by_handle_at

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80755-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.10, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80754-5

Record Unsuccessful Access Attempts to Files - openat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80754-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80756-0

Record Unsuccessful Access Attempts to Files - truncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80756-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80711-5

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_delete:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80711-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule

Description
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-80712-3

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_finit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80712-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030360, 4.1.15, SV-230438r810464_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Rationale
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80713-1

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_init:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80713-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule

Description
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-80725-5

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chage:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80725-5

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, RHEL-08-030250, SV-230418r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chage  oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chage  oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-80726-3

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chsh:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80726-3

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030410, SV-230448r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-80727-1

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_crontab:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80727-1

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030400, SV-230447r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-80728-9

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_gpasswd:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80728-9

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030370, SV-230444r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - kmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod mediumCCE-89455-0

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_kmod:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89455-0

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030580, SV-230465r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules kmod  oval:ssg-test_audit_rules_privileged_commands_kmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl kmod  oval:ssg-test_audit_rules_privileged_commands_kmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount mediumCCE-80989-7

Ensure auditd Collects Information on the Use of Privileged Commands - mount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_mount:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80989-7

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030300, SV-230423r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules mount  oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl mount  oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-80729-7

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newgrp:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80729-7

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030350, SV-230437r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-80730-5

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80730-5

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030340, SV-230436r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-80731-3

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_passwd:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80731-3

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030290, SV-230422r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-80732-1

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postdrop:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80732-1

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030311, SV-230427r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-80733-9

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postqueue:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80733-9

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030312, SV-230428r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run ssh-agentxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent mediumCCE-85944-7

Record Any Attempts to Run ssh-agent

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_agent:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85944-7

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030280, SV-230421r627750_rule

Description
At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-80735-4

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80735-4

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030320, SV-230434r744002_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-80736-2

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_su:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80736-2

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030190, SV-230412r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules su  oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl su  oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80737-0

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudo:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80737-0

References:  BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030550, SV-230462r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-80739-6

Ensure auditd Collects Information on the Use of Privileged Commands - umount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_umount:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80739-6

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030301, SV-230424r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules umount  oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl umount  oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-80740-4

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80740-4

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030317, SV-230433r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - unix_updatexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update mediumCCE-89480-8

Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_update:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89480-8

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030310, SV-230426r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules unix_update  oval:ssg-test_audit_rules_privileged_commands_unix_update_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix_update  oval:ssg-test_audit_rules_privileged_commands_unix_update_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-80741-2

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_userhelper:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80741-2

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030315, SV-230431r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - usermodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod mediumCCE-86027-0

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_usermod:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86027-0

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030560, 4.1.3.18, SV-230463r627750_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-80708-1

Make the auditd Configuration Immutable

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_immutable:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80708-1

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: 
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules.
Rationale
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules configuration locked  oval:ssg-test_ari_locked_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/immutable.rules-e 2

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl configuration locked  oval:ssg-test_ari_locked_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-e 2
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-80722-2

Ensure auditd Collects Information on Exporting to Media (successful)

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_media_export
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_media_export:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80722-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule

Description
At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Rationale
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit mount  oval:ssg-test_32bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit augenrules 64-bit mount  oval:ssg-test_64bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit mount  oval:ssg-test_32bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ip-172-31-7-214.ec2.internalLinux4.18.0-425.19.2.el8_7.x86_64#1 SMP Fri Mar 17 01:52:38 EDT 2023x86_64

audit auditctl 64-bit mount  oval:ssg-test_64bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod
Ensure auditd Collects System Administrator Actions - /etc/sudoersxccdf_org.ssgproject.content_rule_audit_rules_sudoers mediumCCE-90175-1

Ensure auditd Collects System Administrator Actions - /etc/sudoers

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sudoers
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sudoers:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-90175-1

References:  CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030171, SV-230409r627750_rule

Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoers  oval:ssg-test_audit_rules_sudoers_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers -p wa -k actions

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sudoers_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers -p wa -k actions
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d mediumCCE-89497-2

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sudoers_d:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89497-2

References:  CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030172, SV-230410r627750_rule

Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoers  oval:ssg-test_audit_rules_sudoers_d_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers.d/ -p wa -k actions

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sudoers_d_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers.d/ -p wa -k actions
Record Events When Privileged Executables Are Runxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function mediumCCE-83556-1

Record Events When Privileged Executables Are Run

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_suid_privilege_function:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83556-1

References:  CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, RHEL-08-030000, 4.1.3.2, SV-230386r854037_rule

Description
Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: 
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command: 
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setuid.rules-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit augenrules 64-bit uid privileged function  oval:ssg-test_64bit_uid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setuid.rules-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit augenrules 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setgid.rules-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit augenrules 64-bit gid privileged function  oval:ssg-test_64bit_gid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setgid.rules-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit auditctl 64-bit uid privileged_function  oval:ssg-test_64bit_uid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit auditctl 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit auditctl 64-bit gid privileged_function  oval:ssg-test_64bit_gid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80758-6

Record Events that Modify User/Group Information - /etc/group

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_group:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80758-6

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030170, 4.1.3.8, SV-230408r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules group  oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/group -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit group  oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/group -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80759-4

Record Events that Modify User/Group Information - /etc/gshadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_gshadow:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80759-4

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030160, 4.1.3.8, SV-230407r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80760-2

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_opasswd:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80760-2

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030140, 4.1.3.8, SV-230405r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80761-0

Record Events that Modify User/Group Information - /etc/passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_passwd:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80761-0

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, RHEL-08-030150, 4.1.3.8, SV-230406r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80762-8

Record Events that Modify User/Group Information - /etc/shadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_shadow:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80762-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030130, 4.1.3.8, SV-230404r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification
System Audit Directories Must Be Group Owned By Rootxccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit mediumCCE-88225-8

System Audit Directories Must Be Group Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-directory_group_ownership_var_log_audit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88225-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030110, SV-230400r627750_rule

Description
All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. To properly set the group owner of /var/log/audit, run the command: 
$ sudo chgrp root /var/log/audit
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group.
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
/var/log/audit/audit.log
/var/log/audit
no valueno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_default_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_default_var_log_audit_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/auditno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1

log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root

log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root

/var/log/audit directories uid root gid root  oval:ssg-test_group_ownership_var_log_audit_directories-non_root:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories-non_root:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/auditno valueoval:ssg-state_group_owner_not_root_var_log_audit_directories-non_root:ste:1
System Audit Directories Must Be Owned By Rootxccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit mediumCCE-88226-6

System Audit Directories Must Be Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-directory_ownership_var_log_audit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88226-6

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030100, SV-230399r627750_rule

Description
All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command: 
$ sudo chown root /var/log/audit
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

log_file's directory uid root gid root  oval:ssg-test_user_ownership_var_log_audit_path:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_path:obj:1 of type file_object
PathFilenameFilter
/var/log/audit
/var/log/audit/audit.log
no valueoval:ssg-state_owner_not_root_var_log_audit_directories:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit directories uid root gid root  oval:ssg-test_user_ownership_var_log_audit_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_directories:obj:1 of type file_object
PathFilenameFilter
/var/log/auditno valueoval:ssg-state_owner_not_root_var_log_audit_directories:ste:1
System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit mediumCCE-84048-8

System Audit Logs Must Have Mode 0750 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-directory_permissions_var_log_audit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84048-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000162, CCI-000163, CCI-000164, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030120, SV-230401r627750_rule

Description
Verify the audit log directories have a mode of "0700" or less permissive by first determining where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log
Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command: 
$ sudo chmod 0700 audit_log_directory
By default, audit_log_directory is "/var/log/audit".
Rationale
If users can write to audit logs, audit trails can be modified or destroyed.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit mode 0700  oval:ssg-test_dir_permissions_audit_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_directory:obj:1 of type file_object
PathFilenameFilter
/var/log/audit/audit.log
/var/log/audit
no valueoval:ssg-state_not_mode_0700:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

/var/log/audit mode 0700  oval:ssg-test_dir_permissions_var_log_audit:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory:obj:1 of type file_object
PathFilenameFilter
/var/log/auditno valueoval:ssg-state_not_mode_0700:ste:1
System Audit Logs Must Be Group Owned By Rootxccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit mediumCCE-88227-4

System Audit Logs Must Be Group Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_group_ownership_var_log_audit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88227-4

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030090, SV-230398r627750_rule

Description
All audit logs must be group owned by root user. The path for audit log can be configured via log_file parameter in 
/etc/audit/auditd.conf
or, by default, the path for audit log is 
/var/log/audit/
. To properly set the group owner of /var/log/audit/*, run the command: 
$ sudo chgrp root /var/log/audit/*
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group.
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

audit log files gid root  oval:ssg-test_group_ownership_audit_log_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_audit_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_group_owner_not_root_var_log_audit:ste:1

log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root

log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

audit log files gid root  oval:ssg-test_group_ownership_default_audit_log_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_default_audit_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_group_owner_not_root_var_log_audit:ste:1

log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root

log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_group = root
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig mediumCCE-88228-2

System Audit Logs Must Be Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_var_log_audit_stig:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88228-2

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030080, SV-230397r627750_rule

Description
All audit logs must be owned by root user. The path for audit log can be configured via log_file parameter in 
/etc/audit/auditd.conf
or by default, the path for audit log is 
/var/log/audit/
. To properly set the owner of /var/log/audit/*, run the command: 
$ sudo chown root /var/log/audit/*
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

audit log files uid root  oval:ssg-test_user_ownership_audit_log_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_audit_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_owner_not_root_var_log_audit:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

var/log/audit/audit.log file uid root  oval:ssg-test_user_ownership_audit_default_log_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_audit_default_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_owner_not_root_var_log_audit:ste:1
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-80819-6

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log_audit:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80819-6

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030070, SV-230396r627750_rule

Description
Determine where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: 
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log".
Rationale
If users can write to audit logs, audit trails can be modified or destroyed.
OVAL test results details

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

audit log files mode 0600  oval:ssg-test_file_permissions_audit_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1

log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

default audit log files mode 0600  oval:ssg-test_file_permissions_default_audit_log:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_default_log_files:obj:1 of type file_object
FilepathFilter
/var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1
Configure a Sufficiently Large Partition for Audit Logsxccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition mediumCCE-84005-8

Configure a Sufficiently Large Partition for Audit Logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84005-8

References:  CCI-001849, SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133, RHEL-08-030660, SV-230476r877391_rule

Description
The Red Hat Enterprise Linux 8 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: 
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command: 
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Evaluation messages
info  
No candidate or applicable check found.
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-84046-2

Configure auditd Disk Error Action on Disk Error

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_disk_error_action:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84046-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030040, SV-230390r627750_rule

Description
The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.
OVAL test results details

disk full action  oval:ssg-test_auditd_data_disk_error_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confdisk_error_action = syslog
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-84045-4

Configure auditd Disk Full Action when Disk Space Is Full

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_disk_full_action:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84045-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030060, SV-230392r627750_rule

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
OVAL test results details

disk error action  oval:ssg-test_auditd_data_disk_full_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confdisk_full_action = syslog
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-80678-6

Configure auditd mail_acct Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_action_mail_acct:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80678-6

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, RHEL-08-030020, 4.1.2.3, SV-230388r627750_rule

Description
The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: 
action_mail_acct = root
Rationale
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
OVAL test results details

email account for actions  oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confaction_mail_acct = root
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-80684-4

Configure auditd space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80684-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, RHEL-08-030731, 4.1.2.3, SV-244543r877389_rule

Description
The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: 
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confspace_left_action = email
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage mediumCCE-86055-1

Configure auditd space_left on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_percentage:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86055-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, RHEL-08-030730, SV-230483r877389_rule

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately: 
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to notify the user of an issue.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_space_left_percentage:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confspace_left = 25%
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82233-8

Include Local Events in Audit Logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_local_events
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_local_events:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82233-8

References:  CCI-000366, CM-6, FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227, RHEL-08-030061, SV-230393r627750_rule

Description
To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.
Rationale
If option local_events isn't set to yes only events from network will be aggregated.
OVAL test results details

tests the value of local_events setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_local_events:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflocal_events = yes
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-82201-5

Resolve information before writing to audit logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_log_format
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_log_format:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82201-5

References:  CCI-000366, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227, RHEL-08-030063, SV-230395r627750_rule

Description
To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.
Rationale
If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them.
OVAL test results details

tests the value of log_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_log_format:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.conflog_format = ENRICHED
Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82897-0

Set hostname as computer node name in audit logs

Rule IDxccdf_org.ssgproject.content_rule_auditd_name_format
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_name_format:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82897-0

References:  CCI-001851, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030062, SV-230394r877390_rule

Description
To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.
Rationale
If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.
OVAL test results details

tests the value of name_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_name_format:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confname_format = hostname
Appropriate Action Must be Setup When the Internal Audit Event Queue is Fullxccdf_org.ssgproject.content_rule_auditd_overflow_action mediumCCE-85889-4

Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

Rule IDxccdf_org.ssgproject.content_rule_auditd_overflow_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_overflow_action:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85889-4

References:  CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030700, SV-230480r877390_rule

Description
The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.
Rationale
The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.
OVAL test results details

tests the value of overflow_action setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_overflow_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confoverflow_action = SYSLOG
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-81043-2

Ensure the audit Subsystem is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_audit_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_audit_installed:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81043-2

References:  BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, RHEL-08-030180, 4.1.1.1, SV-230411r744000_rule

Description
The audit package should be installed.
Rationale
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
OVAL test results details

package audit is installed  oval:ssg-test_package_audit_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
auditx86_64(none)4.el83.0.70:3.0.7-4.el8199e2f91fd431d51audit-0:3.0.7-4.el8.x86_64
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-80872-5

Enable auditd Service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_auditd_enabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80872-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, RHEL-08-030181, 4.1.1.2, SV-244542r818838_rule

Description
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
Rationale
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
OVAL test results details

package audit is installed  oval:ssg-test_service_auditd_package_audit_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
auditx86_64(none)4.el83.0.70:3.0.7-4.el8199e2f91fd431d51audit-0:3.0.7-4.el8.x86_64

Test that the auditd service is running  oval:ssg-test_service_running_auditd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
auditd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_auditd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_auditd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument lowCCE-80825-3

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_argument:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80825-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, RHEL-08-030601, 4.1.1.3, SV-230468r792904_rule

Description
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Rationale
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
OVAL test results details

check for kernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_audit_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters audit=1 in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument lowCCE-80943-4

Extend Audit Backlog Limit for the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_backlog_limit_argument:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80943-4

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030602, 4.1.1.4, SV-230469r877391_rule

Description
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. To ensure that audit_backlog_limit=8192 is added as a kernel command line argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Rationale
audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
OVAL test results details

check for kernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters audit_backlog_limit=8192 in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Set the Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_admin_username highCCE-83561-1

Set the Boot Loader Admin Username to a Non-Default Value

Rule IDxccdf_org.ssgproject.content_rule_grub2_admin_username
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_admin_username:def:1
Time2023-05-08T20:22:35+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-83561-1

References:  BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010149, SV-244522r792984_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root'). 
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running: 
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
Rationale
Having a non-default grub superuser username makes password-guessing attacks less effective.
Warnings
warning  To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
OVAL test results details

superuser is defined in /boot/grub2/grub.cfg. Superuser is not equal to other system account nor root, admin, administrator  oval:ssg-test_bootloader_superuser_differ_from_other_users:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grub.cfg set superusers="grubuser"
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7

Set Boot Loader Password in grub2

Rule IDxccdf_org.ssgproject.content_rule_grub2_password
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_password:def:1
Time2023-05-08T20:22:35+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80828-7

References:  BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, 1.4.1, SV-230235r743925_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command: 
# grub2-setpassword
When prompted, enter the password that was selected.

Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
OVAL test results details

make sure a password is defined in /boot/grub2/user.cfg  oval:ssg-test_grub2_password_usercfg:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/user.cfgGRUB2_PASSWORD=grub.pbkdf2.sha512.10000.81A8D672F7D57C5DBE8878C17D78FF03BB4CEF027F431C61FEDD39563E0DBC87ECCA212BDE24842591491F95268DE5763BC521B7733F7B833C5E9DCE33F6DD24.3ED78435850E86444904F1D90D747A78DA00F79CD3714175C51C9769859DE1B89486C219F2EEADC19A26E9C24ADCC76EE2CF3383755E9E5F6573EFA0774A1804
Set the UEFI Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_uefi_admin_username mediumCCE-83542-1

Set the UEFI Boot Loader Admin Username to a Non-Default Value

Rule IDxccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83542-1

References:  BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010141, SV-244521r792982_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root'). 
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running: 
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
Rationale
Having a non-default grub superuser username makes password-guessing attacks less effective.
Warnings
warning  To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5

Set the UEFI Boot Loader Password

Rule IDxccdf_org.ssgproject.content_rule_grub2_uefi_password
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80829-5

References:  BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, 1.4.1, SV-230234r743922_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command: 
# grub2-setpassword
When prompted, enter the password that was selected.

Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument lowCCE-82194-2

Enable Kernel Page-Table Isolation (KPTI)

Rule IDxccdf_org.ssgproject.content_rule_grub2_pti_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_pti_argument:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82194-2

References:  CCI-000381, SI-16, SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049, RHEL-08-040004, SV-230491r818842_rule

Description
To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. To ensure that pti=on is added as a kernel command line argument to newly installed kernels, add pti=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
Rationale
Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
OVAL test results details

check for kernel command line parameters pti=on in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_pti_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters pti=on in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_pti_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_pti_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_pti_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument mediumCCE-80946-7

Disable vsyscalls

Rule IDxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_vsyscall_argument:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80946-7

References:  CCI-001084, CM-7(a), FPT_ASLR_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010422, SV-230278r792886_rule

Description
To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
Rationale
Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.
OVAL test results details

check for kernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters vsyscall=none in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_vsyscall_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_vsyscall_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_vsyscall_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-80859-2

Ensure cron Is Logging To Rsyslog

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_cron_logging:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80859-2

References:  1, 14, 15, 16, 3, 5, 6, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-000366, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 0988, 1405, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2, CM-6(a), ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, RHEL-08-030010, SV-230387r743996_rule

Description
Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: 
cron.*                                                  /var/log/cron
Rationale
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
OVAL test results details

cron is configured in /etc/rsyslog.conf  oval:ssg-test_cron_logging_rsyslog:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.confcron.* /var/log/cron # Everybody gets emergency messages

cron is configured in /etc/rsyslog.d  oval:ssg-test_cron_logging_rsyslog_dir:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*$^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$1
Ensure Rsyslog Authenticates Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode mediumCCE-86339-9

Ensure Rsyslog Authenticates Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86339-9

References:  CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030720, SV-230482r877390_rule

Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs the remote system must be authenticated.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
OVAL test results details

Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$ActionSendStreamDriverAuthMode x509/name$1

Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.d/stream_driver_auth.conf$ActionSendStreamDriverAuthMode x509/name
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode mediumCCE-86098-1

Ensure Rsyslog Encrypts Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86098-1

References:  CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule

Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off a encrpytion system must be used.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
OVAL test results details

Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$ActionSendStreamDriverMode 1$1

Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.d/encrypt.conf$ActionSendStreamDriverMode 1
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver mediumCCE-85992-6

Ensure Rsyslog Encrypts Off-Loaded Audit Records

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85992-6

References:  CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule

Description
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off an encryption system must be used.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
OVAL test results details

Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\$DefaultNetstreamDriver gtls$1

Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf  oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.d/encrypt.conf$DefaultNetstreamDriver gtls
Ensure remote access methods are monitored in Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring mediumCCE-83426-7

Ensure remote access methods are monitored in Rsyslog

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_remote_access_monitoring:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83426-7

References:  CCI-000067, AC-17(1), SRG-OS-000032-GPOS-00013, RHEL-08-010070, SV-230228r627750_rule

Description
Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote access method is the use of the Remote Desktop Protocol (RDP) from an external, non-organization controlled network. The /etc/rsyslog.conf or /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration: 
auth.*;authpriv.*;daemon.*                              /var/log/secure
Rationale
Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
OVAL test results details

remote method auth monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.confauthpriv.* /var/log/secure daemon.* /var/log/secure auth.* /var/log/secure

remote method authpriv monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_authpriv:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.confauthpriv.* /var/log/secure

remote method daemon monitoring configured in rsyslog'  oval:ssg-test_remote_method_monitoring_daemon:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.confauthpriv.* /var/log/secure daemon.* /var/log/secure
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-80863-4

Ensure Logs Sent To Remote Host

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_remote_loghost:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80863-4

References:  BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, RHEL-08-030690, 4.2.1.6, SV-230479r877390_rule

Description
To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting logcollector appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: 
*.* @logcollector

To use TCP for log message delivery: 
*.* @@logcollector

To use RELP for log message delivery: 
*.* :omrelp:logcollector

There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.
Rationale
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Warnings
warning  It is important to configure queues in case the client is sending log messages to a remote server. If queues are not configured, the system will stop functioning when the connection to the remote server is not available. Please consult Rsyslog documentation for more information about configuration of queues. The example configuration which should go into /etc/rsyslog.conf can look like the following lines: 
$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
OVAL test results details

Ensures system configured to export logs to remote host  oval:ssg-test_remote_rsyslog_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/rsyslog.conf*.* @

Ensures system configured to export logs to remote host  oval:ssg-test_remote_rsyslog_d:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.+\.conf$^\*\.\*[\s]+(?:@|\:omrelp\:)1
Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-82859-0

Ensure rsyslog-gnutls is installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsyslog-gnutls_installed:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82859-0

References:  BP28(R43), CCI-000366, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, RHEL-08-030680, SV-230478r744011_rule

Description
TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command: 
$ sudo yum install rsyslog-gnutls
Rationale
The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
OVAL test results details

package rsyslog-gnutls is installed  oval:ssg-test_package_rsyslog-gnutls_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rsyslog-gnutlsx86_64(none)10.el88.2102.00:8.2102.0-10.el8199e2f91fd431d51rsyslog-gnutls-0:8.2102.0-10.el8.x86_64
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7

Ensure rsyslog is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsyslog_installed:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80847-7

References:  BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, 4.2.1.1, SV-230477r627750_rule

Description
Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
Rationale
The rsyslog package provides the rsyslog daemon, which provides system logging services.
OVAL test results details

package rsyslog is installed  oval:ssg-test_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rsyslogx86_64(none)10.el88.2102.00:8.2102.0-10.el8199e2f91fd431d51rsyslog-0:8.2102.0-10.el8.x86_64
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-80886-5

Enable rsyslog Service

Rule IDxccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_rsyslog_enabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80886-5

References:  BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, 4.2.1.2, SV-230298r627750_rule

Description
The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The rsyslog service can be enabled with the following command: 
$ sudo systemctl enable rsyslog.service
Rationale
The rsyslog service must be running in order to provide logging services, which are essential to system administration.
OVAL test results details

package rsyslog is installed  oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rsyslogx86_64(none)10.el88.2102.00:8.2102.0-10.el8199e2f91fd431d51rsyslog-0:8.2102.0-10.el8.x86_64

Test that the rsyslog service is running  oval:ssg-test_service_running_rsyslog:tst:1  true

Following items have been found on the system:
UnitPropertyValue
rsyslog.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_rsyslog:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-82998-6

Install firewalld Package

Rule IDxccdf_org.ssgproject.content_rule_package_firewalld_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_firewalld_installed:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82998-6

References:  CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r854048_rule

Description
The firewalld package can be installed with the following command: 
$ sudo yum install firewalld
Rationale
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
OVAL test results details

package firewalld is installed  oval:ssg-test_package_firewalld_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
firewalldnoarch(none)13.el80.9.30:0.9.3-13.el8199e2f91fd431d51firewalld-0:0.9.3-13.el8.noarch
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-80877-4

Verify firewalld Enabled

Rule IDxccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_firewalld_enabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80877-4

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, 3.4.1.4, SV-244544r854073_rule

Description
The firewalld service can be enabled with the following command: 
$ sudo systemctl enable firewalld.service
Rationale
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
OVAL test results details

package firewalld is installed  oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
firewalldnoarch(none)13.el80.9.30:0.9.3-13.el8199e2f91fd431d51firewalld-0:0.9.3-13.el8.noarch

Test that the firewalld service is running  oval:ssg-test_service_running_firewalld:tst:1  true

Following items have been found on the system:
UnitPropertyValue
firewalld.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_firewalld:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_firewalld_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-84300-3

Configure the Firewalld Ports

Rule IDxccdf_org.ssgproject.content_rule_configure_firewalld_ports
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84300-3

References:  11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000382, CCI-002314, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1416, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, RHEL-08-040030, SV-230500r627750_rule

Description
Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: 
firewall-cmd --permanent --add-port=port_number/tcp
To configure firewalld to allow access for pre-defined services, run the following command: 
firewall-cmd --permanent --add-service=service_name
Rationale
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business.
Evaluation messages
info  
No candidate or applicable check found.
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-81006-9

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81006-9

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r858812_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_ra = 0

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_ra = 0

net.ipv6.conf.all.accept_ra static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_ra static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_ra = 0
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_ra = 0

kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_ra0
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81009-3

References:  BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r858820_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_redirects = 0
/etc/sysctl.confnet.ipv6.conf.all.accept_redirects = 0

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81013-5

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r858801_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_source_route = 0
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_source_route = 0

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_source_route0
Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding mediumCCE-82863-2

Disable Kernel Parameter for IPv6 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82863-2

References:  1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r858810_rule

Description
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.forwarding = 0

net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.forwarding = 0

net.ipv6.conf.all.forwarding static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.forwarding static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.forwarding = 0
/etc/sysctl.confnet.ipv6.conf.all.forwarding = 0

kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.forwarding0
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-81007-7

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81007-7

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r858814_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_ra = 0

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_ra = 0

net.ipv6.conf.default.accept_ra static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_ra static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_ra = 0
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_ra = 0

kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_ra0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81010-1

References:  BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r858793_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_redirects = 0
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_redirects = 0

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81015-0

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r861085_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object
Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_source_route = 0
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_source_route = 0

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_source_route0
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80917-8

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r858818_rule

Description
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_redirects = 0
/etc/sysctl.confnet.ipv4.conf.all.accept_redirects = 0

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81011-9

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r858799_rule

Description
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.accept_source_route = 0
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_source_route = 0

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.accept_source_route0
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding mediumCCE-86220-1

Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_forwarding:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86220-1

References:  CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040259, SV-250317r858808_rule

Description
To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Warnings
warning  There might be cases when certain applications can systematically override this option. One such case is Libvirt; a toolkit for managing of virtualization platforms. By default, Libvirt requires IP forwarding to be enabled to facilitate network communication between the virtualization host and guest machines. It enables IP forwarding after every reboot.
OVAL test results details

net.ipv4.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.forwarding = 0

net.ipv4.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.forwarding = 0

net.ipv4.conf.all.forwarding static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.forwarding static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.forwarding = 0
/etc/sysctl.confnet.ipv4.conf.all.forwarding = 0

kernel runtime parameter net.ipv4.conf.all.forwarding set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.forwarding0
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81021-8

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r858830_rule

Description
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
Rationale
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
OVAL test results details

net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.rp_filter static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.rp_filter static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.rp_filter = 1
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.rp_filter = 1

kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.rp_filter1
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80919-4

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r858791_rule

Description
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_redirects = 0
/etc/sysctl.confnet.ipv4.conf.default.accept_redirects = 0

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80920-2

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r858803_rule

Description
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.accept_source_route = 0
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_source_route = 0

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.accept_source_route0
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80922-8

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80922-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r858797_rule

Description
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
OVAL test results details

net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts = 1
/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts = 1

kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.icmp_echo_ignore_broadcasts1
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80918-6

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r858795_rule

Description
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.send_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.send_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.send_redirects = 0
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.send_redirects = 0

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.send_redirects0
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80921-0

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r858816_rule

Description
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.send_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.send_redirects static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$1

net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.send_redirects = 0
/etc/sysctl.confnet.ipv4.conf.default.send_redirects = 0

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.send_redirects0
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82028-2

Disable ATM Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_atm_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82028-2

References:  CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040021, SV-230494r792911_rule

Description
The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: 
install atm /bin/true
To configure the system to prevent the atm from being used, add the following line to file /etc/modprobe.d/atm.conf: 
blacklist atm
Rationale
Disabling ATM protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module atm blacklisted  oval:ssg-test_kernmod_atm_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/atm.confblacklist atm

kernel module atm disabled  oval:ssg-test_kernmod_atm_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/atm.confinstall atm /bin/true
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82059-7

Disable CAN Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_can_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_can_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82059-7

References:  CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040022, SV-230495r792914_rule

Description
The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: 
install can /bin/true
To configure the system to prevent the can from being used, add the following line to file /etc/modprobe.d/can.conf: 
blacklist can
Rationale
Disabling CAN protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module can blacklisted  oval:ssg-test_kernmod_can_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/can.confblacklist can

kernel module can disabled  oval:ssg-test_kernmod_can_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/can.confinstall can /bin/true
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled lowCCE-82005-0

Disable IEEE 1394 (FireWire) Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_firewire-core_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82005-0

References:  CCI-000381, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040026, SV-230499r792924_rule

Description
The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf: 
install firewire-core /bin/true
To configure the system to prevent the firewire-core from being used, add the following line to file /etc/modprobe.d/firewire-core.conf: 
blacklist firewire-core
Rationale
Disabling FireWire protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module firewire-core blacklisted  oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/firewire-core.confblacklist firewire-core

kernel module firewire-core disabled  oval:ssg-test_kernmod_firewire-core_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/firewire-core.confinstall firewire-core /bin/true
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-80834-5

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_sctp_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80834-5

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule

Description
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: 
install sctp /bin/true
To configure the system to prevent the sctp from being used, add the following line to file /etc/modprobe.d/sctp.conf: 
blacklist sctp
Rationale
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module sctp blacklisted  oval:ssg-test_kernmod_sctp_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confblacklist sctp

kernel module sctp disabled  oval:ssg-test_kernmod_sctp_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confinstall sctp /bin/true
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled lowCCE-82297-3

Disable TIPC Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_tipc_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82297-3

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040024, SV-230497r792920_rule

Description
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: 
install tipc /bin/true
To configure the system to prevent the tipc from being used, add the following line to file /etc/modprobe.d/tipc.conf: 
blacklist tipc
Rationale
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Warnings
warning  This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the tipc kernel module will be loaded.
OVAL test results details

kernel module tipc blacklisted  oval:ssg-test_kernmod_tipc_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/tipc.confblacklist tipc

kernel module tipc disabled  oval:ssg-test_kernmod_tipc_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/tipc.confinstall tipc /bin/true
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-80832-9

Disable Bluetooth Kernel Module

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_bluetooth_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80832-9

References:  11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118, RHEL-08-040111, SV-230507r833336_rule

Description
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: 
install bluetooth /bin/true
Rationale
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
OVAL test results details

kernel module bluetooth blacklisted  oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/bluetooth.confblacklist bluetooth

kernel module bluetooth disabled  oval:ssg-test_kernmod_bluetooth_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/bluetooth.confinstall bluetooth /bin/true
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-83501-7

Deactivate Wireless Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83501-7

References:  11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, 3.1.4, SV-230506r627750_rule

Description
Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command: 
$ sudo nmcli radio all off
Rationale
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution mediumCCE-84049-6

Configure Multiple DNS Servers in /etc/resolv.conf

Rule IDxccdf_org.ssgproject.content_rule_network_configure_name_resolution
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-network_configure_name_resolution:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84049-6

References:  12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-20(a), CM-6(a), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010680, SV-230316r627750_rule

Description
Determine whether the system is using local or DNS name resolution with the following command: 
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: 
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following:
Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example: 
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
Rationale
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
OVAL test results details

check if dns is set in host line in /etc/nsswitch.conf  oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1  true

Following items have been found on the system:
PathContent
/etc/nsswitch.confhosts: files dns myhostname

check if more than one nameserver in /etc/resolv.conf  oval:ssg-test_network_configure_name_resolution:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/resolv.conf^[\s]*nameserver[\s]+([0-9\.]+)$1

check if dns is set in host line in /etc/nsswitch.conf  oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1  true

Following items have been found on the system:
PathContent
/etc/nsswitch.confhosts: files dns myhostname

check if /etc/resolv.conf is empty  oval:ssg-test_file_empty_resolv:tst:1  false

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/resolv.confregular0072rw-r--r-- 
Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-82283-3

Ensure System is Not Acting as a Network Sniffer

Rule IDxccdf_org.ssgproject.content_rule_network_sniffer_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-network_sniffer_disabled:def:1
Time2023-05-08T20:22:35+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82283-3

References:  1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040330, SV-230554r627750_rule

Description
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: 
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command: 
$ sudo ip link set dev device_name multicast off promisc off
Rationale
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
OVAL test results details

check all network interfaces for PROMISC flag  oval:ssg-test_promisc_interfaces:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object
NameFilter
^.*$oval:ssg-state_promisc:ste:1
Verify Group Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_groupowner_var_log mediumCCE-83659-3

Verify Group Who Owns /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_var_log:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83659-3

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010260, SV-230250r627750_rule

Description
To properly set the group owner of /var/log, run the command: 
$ sudo chgrp root /var/log
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing group ownership of /var/log/  oval:ssg-test_file_groupowner_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1
Verify Group Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages mediumCCE-83660-1

Verify Group Who Owns /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_var_log_messages:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83660-1

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010230, SV-230247r627750_rule

Description
To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing group ownership of /var/log/messages  oval:ssg-test_file_groupowner_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1
Verify User Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_owner_var_log mediumCCE-83661-9

Verify User Who Owns /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_owner_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_var_log:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83661-9

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010250, SV-230249r627750_rule

Description
To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing user ownership of /var/log/  oval:ssg-test_file_owner_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-symlink_file_owner_var_log_uid_0:ste:1oval:ssg-state_file_owner_var_log_uid_0_0:ste:1
Verify User Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_owner_var_log_messages mediumCCE-83662-7

Verify User Who Owns /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_var_log_messages:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83662-7

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010220, SV-230246r627750_rule

Description
To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing user ownership of /var/log/messages  oval:ssg-test_file_owner_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1
Verify Permissions on /var/log Directoryxccdf_org.ssgproject.content_rule_file_permissions_var_log mediumCCE-83663-5

Verify Permissions on /var/log Directory

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83663-5

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010240, SV-230248r627750_rule

Description
To properly set the permissions of /var/log, run the command: 
$ sudo chmod 0755 /var/log
Rationale
The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing mode of /var/log/  oval:ssg-test_file_permissions_var_log_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_0:obj:1 of type file_object
PathFilenameFilterFilter
/var/logno valueoval:ssg-exclude_symlinks__var_log:ste:1oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1
Verify Permissions on /var/log/messages Filexccdf_org.ssgproject.content_rule_file_permissions_var_log_messages mediumCCE-83665-0

Verify Permissions on /var/log/messages File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_var_log_messages:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83665-0

References:  CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010210, SV-230245r627750_rule

Description
To properly set the permissions of /var/log/messages, run the command: 
$ sudo chmod 0640 /var/log/messages
Rationale
The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.
OVAL test results details

Testing mode of /var/log/messages  oval:ssg-test_file_permissions_var_log_messages_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_messages_0:obj:1 of type file_object
FilepathFilterFilter
/var/log/messagesoval:ssg-exclude_symlinks__var_log_messages:ste:1oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1
Verify that Shared Library Directories Have Root Group Ownershipxccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs mediumCCE-85894-4

Verify that Shared Library Directories Have Root Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_group_ownership_library_dirs:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85894-4

References:  CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010351, SV-251709r810014_rule

Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chgrp root DIR
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
OVAL test results details

Testing group ownership of /lib/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1

Testing group ownership of /lib64/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1

Testing group ownership of /usr/lib/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1

Testing group ownership of /usr/lib64/  oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1
Verify that Shared Library Directories Have Root Ownershipxccdf_org.ssgproject.content_rule_dir_ownership_library_dirs mediumCCE-89021-0

Verify that Shared Library Directories Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_ownership_library_dirs:def:1
Time2023-05-08T20:22:48+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89021-0

References:  CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010341, SV-251708r810012_rule

Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root DIR
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
OVAL test results details

Testing user ownership of /lib/  oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1

Testing user ownership of /lib64/  oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1

Testing user ownership of /usr/lib/  oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1

Testing user ownership of /usr/lib64/  oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1
Verify that Shared Library Directories Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_dir_permissions_library_dirs mediumCCE-88692-9

Verify that Shared Library Directories Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_permissions_library_dirs:def:1
Time2023-05-08T20:22:49+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88692-9

References:  CCI-001499, CIP-003-8 R6, CM-5, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010331, SV-251707r809345_rule

Description
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w DIR
Rationale
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

Testing mode of /lib/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/libno valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1

Testing mode of /lib64/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64no valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/libno valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib64/  oval:ssg-test_file_permissionsdir_permissions_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64no valueoval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1oval:ssg-state_file_permissionsdir_permissions_library_dirs_3_mode_7755or_stricter_:ste:1
Verify that system commands files are group owned by root or a system accountxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs mediumCCE-86519-6

Verify that system commands files are group owned by root or a system account

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_system_commands_dirs:def:1
Time2023-05-08T20:22:49+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86519-6

References:  CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010320, SV-230259r792864_rule

Description
System commands files are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: 
$ sudo chgrp root FILE
Rationale
If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

system commands are owned by root or a system account  oval:ssg-test_groupownership_system_commands_dirs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type file_object
PathFilenameFilter
^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin^.*$oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1
Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-80806-3

Verify that System Executables Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_binary_dirs:def:1
Time2023-05-08T20:22:49+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80806-3

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010310, SV-230258r627750_rule

Description
System executables are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: 
$ sudo chown root FILE
Rationale
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
OVAL test results details

binary directories uid root  oval:ssg-test_ownership_binary_directories:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexecno valueoval:ssg-state_owner_binaries_not_root:ste:1

binary files uid root  oval:ssg-test_ownership_binary_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_owner_binaries_not_root:ste:1
Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-80807-1

Verify that Shared Library Files Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_library_dirs:def:1
Time2023-05-08T20:22:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80807-1

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010340, SV-230261r627750_rule

Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root FILE
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
OVAL test results details

Testing user ownership of /lib/  oval:ssg-test_file_ownership_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1

Testing user ownership of /lib64/  oval:ssg-test_file_ownership_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1

Testing user ownership of /usr/lib/  oval:ssg-test_file_ownership_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1

Testing user ownership of /usr/lib64/  oval:ssg-test_file_ownership_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1
Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-80809-7

Verify that System Executables Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_binary_dirs:def:1
Time2023-05-08T20:22:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80809-7

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010300, SV-230257r792862_rule

Description
System executables are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
Rationale
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
OVAL test results details

binary files go-w  oval:ssg-test_perms_binary_files:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_binary_files:obj:1 of type file_object
PathFilenameFilterFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1oval:ssg-state_perms_binary_files_symlink:ste:1
Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-80815-4

Verify that Shared Library Files Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_library_dirs:def:1
Time2023-05-08T20:22:57+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80815-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), CM-5(6), CM-5(6).1, AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010330, SV-230260r792867_rule

Description
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
Rationale
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
OVAL test results details

Testing mode of /lib/  oval:ssg-test_file_permissions_library_dirs_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1

Testing mode of /lib64/  oval:ssg-test_file_permissions_library_dirs_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib/  oval:ssg-test_file_permissions_library_dirs_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1

Testing mode of /usr/lib64/  oval:ssg-test_file_permissions_library_dirs_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-exclude_symlinks__library_dirs:ste:1oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files mediumCCE-86523-8

Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

Rule IDxccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-root_permissions_syslibrary_files:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86523-8

References:  CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010350, SV-230262r627750_rule

Description
System-wide library files are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command: 
$ sudo chgrp root FILE
Rationale
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

Testing group ownership of /lib/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_0:ste:1

Testing group ownership of /lib64/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_1:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_1:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/lib64^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_1:ste:1

Testing group ownership of /usr/lib/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_2:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_2:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_2:ste:1

Testing group ownership of /usr/lib64/  oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_3:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_3:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/usr/lib64^.*$oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_3:ste:1
Ensure All World-Writable Directories Are Owned by root userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned mediumCCE-83375-6

Ensure All World-Writable Directories Are Owned by root user

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_root_owned:def:1
Time2023-05-08T20:22:36+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83375-6

References:  BP28(R40), CCI-000366, SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069, RHEL-08-010700, SV-230318r743960_rule

Description
All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.
Rationale
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
OVAL test results details

check for local directories that are world writable and have uid greater than 0  oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid_zero:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_uid_is_not_root_and_world_writable:ste:1
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-80783-4

Verify that All World-Writable Directories Have Sticky Bits Set

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_sticky_bits:def:1
Time2023-05-08T20:22:37+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80783-4

References:  BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, 6.1.2, SV-230243r792857_rule

Description
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: 
$ sudo chmod +t DIR
Rationale
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
OVAL test results details

all local world-writable directories have sticky bit set  oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_world_writable_and_not_sticky:ste:1
Ensure All World-Writable Directories Are Group Owned by a System Accountxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group mediumCCE-85886-0

Ensure All World-Writable Directories Are Group Owned by a System Account

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_system_owned_group:def:1
Time2023-05-08T20:22:38+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85886-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010710, SV-230319r743961_rule

Description
All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
Rationale
Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
OVAL test results details

check for local directories that are world writable and have gid greater than or equal to 1000  oval:ssg-test_dir_world_writable_gid_gt_value:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_gid:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_gid_is_user_and_world_writable:ste:1
Verify Permissions on /etc/audit/auditd.confxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd mediumCCE-85871-2

Verify Permissions on /etc/audit/auditd.conf

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_audit_auditd:def:1
Time2023-05-08T20:22:38+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85871-2

References:  CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule

Description
To properly set the permissions of /etc/audit/auditd.conf, run the command: 
$ sudo chmod 0640 /etc/audit/auditd.conf
Rationale
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
OVAL test results details

Testing mode of /etc/audit/auditd.conf  oval:ssg-test_file_permissions_etc_audit_auditd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_audit_auditd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/audit/auditd.confoval:ssg-exclude_symlinks__etc_audit_auditd:ste:1oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1
Verify Permissions on /etc/audit/rules.d/*.rulesxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd mediumCCE-85875-3

Verify Permissions on /etc/audit/rules.d/*.rules

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_audit_rulesd:def:1
Time2023-05-08T20:22:38+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85875-3

References:  CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule

Description
To properly set the permissions of /etc/audit/rules.d/*.rules, run the command: 
$ sudo chmod 0640 /etc/audit/rules.d/*.rules
Rationale
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
OVAL test results details

Testing mode of /etc/audit/rules.d/  oval:ssg-test_file_permissions_etc_audit_rulesd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_audit_rulesd_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/audit/rules.d^.*rules$oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0640or_stricter_:ste:1
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-83497-8

Ensure All Files Are Owned by a Group

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_ungroupowned:def:1
Time2023-05-08T20:22:43+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83497-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010790, 6.1.13, SV-230327r627750_rule

Description
If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group: 
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: 
$ sudo find PARTITION -xdev -nogroup
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  This rule only considers local groups. If you have your groups defined outside /etc/group, the rule won't consider those.
OVAL test results details

files with no group owner  oval:ssg-test_file_permissions_ungroupowned:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-state_file_permissions_ungroupowned:ste:1
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-83499-4

Ensure All Files Are Owned by a User

Rule IDxccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_files_unowned_by_user:def:1
Time2023-05-08T20:22:47+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83499-4

References:  11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, 6.1.12, SV-230326r627750_rule

Description
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user: 
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: 
$ sudo find PARTITION -xdev -nouser
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  For this rule to evaluate centralized user accounts, getent must be working properly so that running the command 
getent passwd
returns a list of all users in your organization. If using the System Security Services Daemon (SSSD), 
enumerate = true
must be configured in your organization's domain to return a complete list of users
warning  Enabling this rule will result in slower scan times depending on the size of your organization and number of centralized users.
OVAL test results details

Check user ids on all files on the system  oval:ssg-no_files_unowned_by_user_test:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-file_permissions_unowned_userid_list_match:ste:1
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-80873-3

Disable the Automounter

Rule IDxccdf_org.ssgproject.content_rule_service_autofs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_autofs_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80873-3

References:  1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, 1.1.9, SV-230502r627750_rule

Description
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command: 
$ sudo systemctl mask --now autofs.service
Rationale
Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
OVAL test results details

package autofs is removed  oval:ssg-test_service_autofs_package_autofs_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type rpminfo_object
Name
autofs

Test that the autofs service is not running  oval:ssg-test_service_not_running_autofs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
UnitProperty
^autofs\.(service|socket)$ActiveState

Test that the property LoadState from the service autofs is masked  oval:ssg-test_service_loadstate_is_masked_autofs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type systemdunitproperty_object
UnitProperty
^autofs\.(service|socket)$LoadState
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-81031-7

Disable Mounting of cramfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_cramfs_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-81031-7

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule

Description
To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: 
install cramfs /bin/true
To configure the system to prevent the cramfs from being used, add the following line to file /etc/modprobe.d/cramfs.conf: 
blacklist cramfs
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the server.
OVAL test results details

kernel module cramfs blacklisted  oval:ssg-test_kernmod_cramfs_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/cramfs.confblacklist cramfs

kernel module cramfs disabled  oval:ssg-test_kernmod_cramfs_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/cramfs.confinstall cramfs /bin/true
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-80835-2

Disable Modprobe Loading of USB Storage Driver

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_usb-storage_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80835-2

References:  1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule

Description
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: 
install usb-storage /bin/true
To configure the system to prevent the usb-storage from being used, add the following line to file /etc/modprobe.d/usb-storage.conf: 
blacklist usb-storage
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Rationale
USB storage devices such as thumb drives can be used to introduce malicious software.
OVAL test results details

kernel module usb-storage blacklisted  oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confblacklist usb-storage

kernel module usb-storage disabled  oval:ssg-test_kernmod_usb-storage_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confinstall usb-storage /bin/true
Add nosuid Option to /boot/efixccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid mediumCCE-86038-7

Add nosuid Option to /boot/efi

Rule IDxccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86038-7

References:  CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010572, SV-244530r809336_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /boot/efi. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot/efi.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.
Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-81033-3

Add nosuid Option to /boot

Rule IDxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_boot_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81033-3

References:  BP28(R12), CCI-000366, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010571, SV-230300r743959_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.
OVAL test results details

nosuid on /boot   oval:ssg-test_boot_partition_nosuid_optional:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_boot_partition_nosuid_optional:obj:1 of type partition_object
Mount point
/boot

/boot exists  oval:ssg-test_boot_partition_nosuid_optional_exist:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_boot_partition_nosuid_optional:obj:1 of type partition_object
Mount point
/boot

nosuid on /boot in /etc/fstab  oval:ssg-test_boot_partition_nosuid_optional_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_boot_partition_nosuid_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+)1

/boot exists in /etc/fstab  oval:ssg-test_boot_partition_nosuid_optional_exist_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_boot_partition_nosuid_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+)1
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-80837-8

Add nodev Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nodev:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80837-8

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, 1.1.8.1, SV-230508r854049_rule

Description
The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /dev/shm   oval:ssg-test_dev_shm_partition_nodev_expected:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

/dev/shm exists  oval:ssg-test_dev_shm_partition_nodev_expected_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

nodev on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_nodev_expected_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstabtmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-80838-6

Add noexec Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80838-6

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, 1.1.8.2, SV-230510r854051_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.
OVAL test results details

noexec on /dev/shm   oval:ssg-test_dev_shm_partition_noexec_expected:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

/dev/shm exists  oval:ssg-test_dev_shm_partition_noexec_expected_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

noexec on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_noexec_expected_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstabtmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-80839-4

Add nosuid Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80839-4

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r854050_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
OVAL test results details

nosuid on /dev/shm   oval:ssg-test_dev_shm_partition_nosuid_expected:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

/dev/shm exists  oval:ssg-test_dev_shm_partition_nosuid_expected_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4699820469982

nosuid on /dev/shm in /etc/fstab  oval:ssg-test_dev_shm_partition_nosuid_expected_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstabtmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec
Add noexec Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_noexec mediumCCE-83328-5

Add noexec Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_home_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83328-5

References:  BP28(R12), CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-010590, SV-230302r627750_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The /home directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.
OVAL test results details

noexec on /home   oval:ssg-test_home_partition_noexec_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/RootVG-homeVolb84b8bdc-384f-44ab-ad39-f905bf9d2f2cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958410085249499

/home exists  oval:ssg-test_home_partition_noexec_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/RootVG-homeVolb84b8bdc-384f-44ab-ad39-f905bf9d2f2cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958410085249499

noexec on /home in /etc/fstab  oval:ssg-test_home_partition_noexec_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-homeVol /home xfs defaults,rw,noexec,nosuid,nodev

/home exists in /etc/fstab  oval:ssg-test_home_partition_noexec_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-homeVol /home xfs defaults,rw,noexec,nosuid,nodev
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-81050-7

Add nosuid Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_home_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81050-7

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.
OVAL test results details

nosuid on /home   oval:ssg-test_home_partition_nosuid_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/RootVG-homeVolb84b8bdc-384f-44ab-ad39-f905bf9d2f2cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958410085249499

/home exists  oval:ssg-test_home_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/RootVG-homeVolb84b8bdc-384f-44ab-ad39-f905bf9d2f2cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958410085249499

nosuid on /home in /etc/fstab  oval:ssg-test_home_partition_nosuid_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-homeVol /home xfs defaults,rw,noexec,nosuid,nodev

/home exists in /etc/fstab  oval:ssg-test_home_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-homeVol /home xfs defaults,rw,noexec,nosuid,nodev
Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions mediumCCE-82069-6

Add nodev Option to Non-Root Local Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82069-6

References:  BP28(R12), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010580, SV-230301r627750_rule

Description
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.
Rationale
The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.
OVAL test results details

nodev on local filesystems  oval:ssg-test_nodev_nonroot_local_partitions:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_non_root_partitions:obj:1 of type partition_object
Mount pointFilter
^/\w.*$oval:ssg-state_local_nodev:ste:1
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions mediumCCE-82742-8

Add nodev Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nodev_removable_partitions:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82742-8

References:  11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010600, 1.1.18, SV-230303r627750_rule

Description
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_removable_partition:var:1/dev/cdrom

'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'nodev' mount option in /etc/fstab  oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions mediumCCE-82746-9

Add noexec Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_noexec_removable_partitions:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82746-9

References:  11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010610, 1.1.20, SV-230304r627750_rule

Description
The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_removable_partition:var:1/dev/cdrom

'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'noexec' mount option in /etc/fstab  oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions mediumCCE-82744-4

Add nosuid Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nosuid_removable_partitions:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82744-4

References:  11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010620, 1.1.19, SV-230305r627750_rule

Description
The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.
OVAL test results details

Check if expected removable partitions truly exist on the system  oval:ssg-test_removable_partition_doesnt_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type file_object
Filepath
/dev/cdrom

Check if removable partition variable value represents CD/DVD drive  oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_removable_partition:var:1/dev/cdrom

'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

'CD/DVD drive is not listed in /etc/fstab  oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1

Check if removable partition is configured with 'nosuid' mount option in /etc/fstab  oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev mediumCCE-82623-0

Add nodev Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_nodev:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82623-0

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r854052_rule

Description
The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /tmp   oval:ssg-test_tmp_partition_nodev_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

/tmp exists  oval:ssg-test_tmp_partition_nodev_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

nodev on /tmp in /etc/fstab  oval:ssg-test_tmp_partition_nodev_optional_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_nodev_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1

/tmp exists in /etc/fstab  oval:ssg-test_tmp_partition_nodev_optional_exist_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_nodev_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-82139-7

Add noexec Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82139-7

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, 1.1.2.3, SV-230513r854054_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.

Reboot:false
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/tmp")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "noexec"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/tmp"; then
        if mountpoint -q "/tmp"; then
            mount -o remount --target "/tmp"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /tmp --mountoptions="noexec"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /tmp: Check information associated to mountpoint'
  command: findmnt --fstab '/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
  tags:
  - CCE-82139-7
  - DISA-STIG-RHEL-08-040125
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_tmp_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /tmp: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "/tmp" in ansible_mounts | map(attribute="mount") | list )
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82139-7
  - DISA-STIG-RHEL-08-040125
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_tmp_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /tmp: If /tmp not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /tmp
    - ''
    - ''
    - defaults
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "/tmp" in ansible_mounts | map(attribute="mount") | list )
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82139-7
  - DISA-STIG-RHEL-08-040125
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_tmp_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /tmp: Make sure noexec option is part of the to /tmp
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "/tmp" in ansible_mounts | map(attribute="mount") | list )
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-82139-7
  - DISA-STIG-RHEL-08-040125
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_tmp_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /tmp: Ensure /tmp is mounted with noexec option'
  mount:
    path: /tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and "/tmp" in ansible_mounts | map(attribute="mount") | list )
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82139-7
  - DISA-STIG-RHEL-08-040125
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_tmp_noexec
  - no_reboot_needed
OVAL test results details

noexec on /tmp   oval:ssg-test_tmp_partition_noexec_optional:tst:1  false

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

/tmp exists  oval:ssg-test_tmp_partition_noexec_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

noexec on /tmp in /etc/fstab  oval:ssg-test_tmp_partition_noexec_optional_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_noexec_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1

/tmp exists in /etc/fstab  oval:ssg-test_tmp_partition_noexec_optional_exist_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_noexec_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-82140-5

Add nosuid Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82140-5

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r854053_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
OVAL test results details

nosuid on /tmp   oval:ssg-test_tmp_partition_nosuid_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

/tmp exists  oval:ssg-test_tmp_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwseclabelnosuidnodev46998211469971

nosuid on /tmp in /etc/fstab  oval:ssg-test_tmp_partition_nosuid_optional_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_nosuid_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1

/tmp exists in /etc/fstab  oval:ssg-test_tmp_partition_nosuid_optional_exist_in_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_tmp_partition_nosuid_optional_in_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^[\s]*[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+)1
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-82080-3

Add nodev Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_nodev:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82080-3

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r854058_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /var/log/audit   oval:ssg-test_var_log_audit_partition_nodev_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

/var/log/audit exists  oval:ssg-test_var_log_audit_partition_nodev_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

nodev on /var/log/audit in /etc/fstab  oval:ssg-test_var_log_audit_partition_nodev_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid

/var/log/audit exists in /etc/fstab  oval:ssg-test_var_log_audit_partition_nodev_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-82975-4

Add noexec Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82975-4

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r854060_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.
OVAL test results details

noexec on /var/log/audit   oval:ssg-test_var_log_audit_partition_noexec_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

/var/log/audit exists  oval:ssg-test_var_log_audit_partition_noexec_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

noexec on /var/log/audit in /etc/fstab  oval:ssg-test_var_log_audit_partition_noexec_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid

/var/log/audit exists in /etc/fstab  oval:ssg-test_var_log_audit_partition_noexec_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-82921-8

Add nosuid Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82921-8

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r854059_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.
OVAL test results details

nosuid on /var/log/audit   oval:ssg-test_var_log_audit_partition_nosuid_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

/var/log/audit exists  oval:ssg-test_var_log_audit_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/audit/dev/mapper/RootVG-auditVolda815c95-7c5b-4564-ba54-da451b108d03xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind1565184192231545961

nosuid on /var/log/audit in /etc/fstab  oval:ssg-test_var_log_audit_partition_nosuid_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid

/var/log/audit exists in /etc/fstab  oval:ssg-test_var_log_audit_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-auditVol /var/log/audit xfs defaults,rw,nodev,noexec,nosuid
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-82077-9

Add nodev Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_nodev:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82077-9

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, 1.1.5.2, SV-230514r854055_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /var/log   oval:ssg-test_var_log_partition_nodev_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

/var/log exists  oval:ssg-test_var_log_partition_nodev_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

nodev on /var/log in /etc/fstab  oval:ssg-test_var_log_partition_nodev_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid

/var/log exists in /etc/fstab  oval:ssg-test_var_log_partition_nodev_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4

Add noexec Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82008-4

References:  BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r854057_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.
OVAL test results details

noexec on /var/log   oval:ssg-test_var_log_partition_noexec_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

/var/log exists  oval:ssg-test_var_log_partition_noexec_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

noexec on /var/log in /etc/fstab  oval:ssg-test_var_log_partition_noexec_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid

/var/log exists in /etc/fstab  oval:ssg-test_var_log_partition_noexec_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4

Add nosuid Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82065-4

References:  BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r854056_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.
OVAL test results details

nosuid on /var/log   oval:ssg-test_var_log_partition_nosuid_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

/var/log exists  oval:ssg-test_var_log_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/log/dev/mapper/RootVG-logVola9a4865f-d677-4400-bf96-40eab2d99357xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172814489507239

nosuid on /var/log in /etc/fstab  oval:ssg-test_var_log_partition_nosuid_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid

/var/log exists in /etc/fstab  oval:ssg-test_var_log_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-logVol /var/log xfs defaults,rw,nodev,noexec,nosuid
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev mediumCCE-82068-8

Add nodev Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_tmp_nodev:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82068-8

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r854061_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /var/tmp   oval:ssg-test_var_tmp_partition_nodev_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

/var/tmp exists  oval:ssg-test_var_tmp_partition_nodev_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

nodev on /var/tmp in /etc/fstab  oval:ssg-test_var_tmp_partition_nodev_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid

/var/tmp exists in /etc/fstab  oval:ssg-test_var_tmp_partition_nodev_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-82151-2

Add noexec Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_tmp_noexec:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82151-2

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r854063_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.
OVAL test results details

noexec on /var/tmp   oval:ssg-test_var_tmp_partition_noexec_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

/var/tmp exists  oval:ssg-test_var_tmp_partition_noexec_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

noexec on /var/tmp in /etc/fstab  oval:ssg-test_var_tmp_partition_noexec_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid

/var/tmp exists in /etc/fstab  oval:ssg-test_var_tmp_partition_noexec_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-82154-6

Add nosuid Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_tmp_nosuid:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82154-6

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r854062_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
OVAL test results details

nosuid on /var/tmp   oval:ssg-test_var_tmp_partition_nosuid_optional:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

/var/tmp exists  oval:ssg-test_var_tmp_partition_nosuid_optional_exist:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/tmp/dev/mapper/RootVG-varTmpVolb3908799-0b77-49bf-b336-60d0abbdeb4dxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172811925509803

nosuid on /var/tmp in /etc/fstab  oval:ssg-test_var_tmp_partition_nosuid_optional_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid

/var/tmp exists in /etc/fstab  oval:ssg-test_var_tmp_partition_nosuid_optional_exist_in_fstab:tst:1  true

Following items have been found on the system:
PathContent
/etc/fstab/dev/mapper/RootVG-varTmpVol /var/tmp xfs defaults,rw,nodev,noexec,nosuid
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled mediumCCE-82881-4

Disable acquiring, saving, and processing core dumps

Rule IDxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_systemd-coredump_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82881-4

References:  CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010672, SV-230312r833308_rule

Description
The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
OVAL test results details

package systemd is removed  oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
systemdx86_64(none)68.el8_7.42390:239-68.el8_7.4199e2f91fd431d51systemd-0:239-68.el8_7.4.x86_64

Test that the systemd-coredump service is not running  oval:ssg-test_service_not_running_systemd-coredump:tst:1  true

Following items have been found on the system:
UnitPropertyValue
systemd-coredump.socketActiveStateinactive

Test that the property LoadState from the service systemd-coredump is masked  oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1  true

Following items have been found on the system:
UnitPropertyValue
systemd-coredump.socketLoadStatemasked
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-82251-0

Disable core dump backtraces

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_backtraces
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_backtraces:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82251-0

References:  CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule

Description
The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_backtraces:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-82252-8

Disable storing core dump

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_storage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_storage:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82252-8

References:  CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule

Description
The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of Storage setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_storage:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0 Storage=none
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-81038-2

Disable Core Dumps for All Users

Rule IDxccdf_org.ssgproject.content_rule_disable_users_coredumps
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_users_coredumps:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81038-2

References:  1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, SRG-OS-000480-GPOS-00227, RHEL-08-010673, 1.6.1, SV-230313r627750_rule

Description
To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory: 
*     hard   core    0
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
OVAL test results details

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1

Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d_exists:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core1

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file  oval:ssg-test_core_dumps_limitsconf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/limits.conf* hard core 0
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-80915-2

Restrict Exposed Kernel Pointer Addresses Access

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_kptr_restrict:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80915-2

References:  BP28(R23), CCI-002824, CCI-000366, CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, RHEL-08-040283, SV-230547r858826_rule

Description
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict = 1
Rationale
Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.
OVAL test results details

kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.kptr_restrict = 1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kptr_restrict_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.kptr_restrict = 1

kernel.kptr_restrict static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kptr_restrict_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$1

kernel.kptr_restrict static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kptr_restrict_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$1

kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.kptr_restrict = 1
/etc/sysctl.d/99-sysctl.confkernel.kptr_restrict = 1

kernel runtime parameter kernel.kptr_restrict set to 1 or 2  oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.kptr_restrict1
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_randomize_va_space:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80916-0

References:  BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, 1.5.3, SV-230280r858767_rule

Description
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
Rationale
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
OVAL test results details

kernel.randomize_va_space static configuration  oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.randomize_va_space = 2

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.randomize_va_space = 2

kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$1

kernel.randomize_va_space static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$1

kernel.randomize_va_space static configuration  oval:ssg-test_sysctl_kernel_randomize_va_space_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.randomize_va_space = 2
/etc/sysctl.confkernel.randomize_va_space = 2

kernel runtime parameter kernel.randomize_va_space set to 2  oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.randomize_va_space2
Enable NX or XD Support in the BIOSxccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions mediumCCE-83918-3

Enable NX or XD Support in the BIOS

Rule IDxccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-bios_enable_execution_restrictions:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83918-3

References:  BP28(R9), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.7, CCI-002824, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, SC-39, CM-6(a), PR.IP-1, Req-2.2.1, SRG-OS-000433-GPOS-00192, RHEL-08-010420, SV-230276r854031_rule

Description
Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.
Rationale
Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.
OVAL test results details

CPUs support for NX bit  oval:ssg-test_NX_cpu_support:tst:1  true

Following items have been found on the system:
PathContent
/proc/cpuinfoflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves ida arat pku ospke

NX is not disabled in the kernel command line  oval:ssg-test_noexec_cmd_line:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_noexec_cmd_line:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/proc/cmdline.+noexec[0-9]*=off.+1
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument mediumCCE-80944-2

Enable page allocator poisoning

Rule IDxccdf_org.ssgproject.content_rule_grub2_page_poison_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_page_poison_argument:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80944-2

References:  CCI-001084, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010421, SV-230277r792884_rule

Description
To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. To ensure that page_poison=1 is added as a kernel command line argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
Rationale
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
OVAL test results details

check for kernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters page_poison=1 in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_page_poison_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_page_poison_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_page_poison_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Enable SLUB/SLAB allocator poisoningxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument mediumCCE-80945-9

Enable SLUB/SLAB allocator poisoning

Rule IDxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_slub_debug_argument:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80945-9

References:  CCI-001084, CM-6(a), SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068, RHEL-08-010423, SV-230279r792888_rule

Description
To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug=P is added as a kernel command line argument to newly installed kernels, add slub_debug=P to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: 
GRUB_CMDLINE_LINUX="... slub_debug=P ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug=P"
Rationale
Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
OVAL test results details

check for kernel command line parameters slub_debug in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P

check for kernel command line parameters slub_debug in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_slub_debug_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_slub_debug_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-4.18.0-425.19.2.el8_7.x86_64.confoptions $kernelopts
/boot/loader/entries/ec28466fcf436363486da3e5b13794b1-0-rescue.confoptions $kernelopts

check for slub_debug in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_slub_debug_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1 audit=1 audit_backlog_limit=8192 pti=on vsyscall=none page_poison=1 slub_debug=P"

check for slub_debug in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_slub_debug_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_slub_debug_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY=true
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern mediumCCE-82215-5

Disable storing core dumps

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_core_pattern:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82215-5

References:  CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010671, SV-230311r858769_rule

Description
To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
OVAL test results details

kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.core_pattern = |/bin/false

kernel.core_pattern static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_core_pattern_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.core_pattern = |/bin/false

kernel.core_pattern static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_core_pattern_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$1

kernel.core_pattern static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_core_pattern_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$1

kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.core_pattern = |/bin/false
/etc/sysctl.d/99-sysctl.confkernel.core_pattern = |/bin/false

kernel runtime parameter kernel.core_pattern set to |/bin/false  oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.core_pattern|/bin/false
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-80913-7

Restrict Access to Kernel Message Buffer

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_dmesg_restrict:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80913-7

References:  BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010375, SV-230269r858756_rule

Description
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
Rationale
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
OVAL test results details

kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.dmesg_restrict = 1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.dmesg_restrict = 1

kernel.dmesg_restrict static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$1

kernel.dmesg_restrict static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$1

kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.dmesg_restrict = 1
/etc/sysctl.confkernel.dmesg_restrict = 1

kernel runtime parameter kernel.dmesg_restrict set to 1  oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.dmesg_restrict1
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-80952-5

Disable Kernel Image Loading

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_kexec_load_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80952-5

References:  CCI-001749, CM-6, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153, RHEL-08-010372, SV-230266r877463_rule

Description
To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
Rationale
Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.
OVAL test results details

kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.kexec_load_disabled = 1

kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.kexec_load_disabled = 1

kernel.kexec_load_disabled static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel.kexec_load_disabled static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.kexec_load_disabled = 1
/etc/sysctl.d/99-sysctl.confkernel.kexec_load_disabled = 1

kernel runtime parameter kernel.kexec_load_disabled set to 1  oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.kexec_load_disabled1
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid lowCCE-81054-9

Disallow kernel profiling by unprivileged users

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_perf_event_paranoid:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-81054-9

References:  BP28(R23), CCI-001090, AC-6, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010376, SV-230270r858758_rule

Description
To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_event_paranoid = 2
Rationale
Kernel profiling can reveal sensitive information about kernel behaviour.
OVAL test results details

kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.perf_event_paranoid = 2

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.perf_event_paranoid = 2

kernel.perf_event_paranoid static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$1

kernel.perf_event_paranoid static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$1

kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.perf_event_paranoid = 2
/etc/sysctl.confkernel.perf_event_paranoid = 2

kernel runtime parameter kernel.perf_event_paranoid set to 2  oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.perf_event_paranoid2
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82974-7

Disable Access to Network bpf() Syscall From Unprivileged Processes

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82974-7

References:  CCI-000366, AC-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040281, SV-230545r858822_rule

Description
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
Rationale
Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.
OVAL test results details

kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.unprivileged_bpf_disabled = 1

kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.unprivileged_bpf_disabled = 1

kernel.unprivileged_bpf_disabled static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel.unprivileged_bpf_disabled static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$1

kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.unprivileged_bpf_disabled = 1
/etc/sysctl.d/99-sysctl.confkernel.unprivileged_bpf_disabled = 1

kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.unprivileged_bpf_disabled1
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-80953-3

Restrict usage of ptrace to descendant processes

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_yama_ptrace_scope:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80953-3

References:  BP28(R25), CCI-000366, SC-7(10), SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040282, SV-230546r858824_rule

Description
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: 
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.yama.ptrace_scope = 1
Rationale
Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).
OVAL test results details

kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.yama.ptrace_scope = 1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.yama.ptrace_scope = 1

kernel.yama.ptrace_scope static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$1

kernel.yama.ptrace_scope static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$1

kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.yama.ptrace_scope = 1
/etc/sysctl.confkernel.yama.ptrace_scope = 1

kernel runtime parameter kernel.yama.ptrace_scope set to 1  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.yama.ptrace_scope1
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-82934-1

Harden the operation of the BPF just-in-time compiler

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_core_bpf_jit_harden:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82934-1

References:  CCI-000366, CM-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040286, SV-244554r858832_rule

Description
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
Rationale
When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.
OVAL test results details

net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.core.bpf_jit_harden = 2

net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.core.bpf_jit_harden = 2

net.core.bpf_jit_harden static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$1

net.core.bpf_jit_harden static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$1

net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.core.bpf_jit_harden = 2
/etc/sysctl.d/99-sysctl.confnet.core.bpf_jit_harden = 2

kernel runtime parameter net.core.bpf_jit_harden set to 2  oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.core.bpf_jit_harden2
Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces mediumCCE-82211-4

Disable the use of user namespaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_user_max_user_namespaces:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82211-4

References:  CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040284, SV-230548r858828_rule

Description
To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command: 
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.
Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.
Warnings
warning  This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, it is expected that user.max_user_namespaces will be enabled.
OVAL test results details

user.max_user_namespaces static configuration  oval:ssg-test_sysctl_user_max_user_namespaces_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confuser.max_user_namespaces = 0

user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_user_max_user_namespaces_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confuser.max_user_namespaces = 0

user.max_user_namespaces static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_user_max_user_namespaces_static_run_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$1

user.max_user_namespaces static configuration in /usr/local/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_user_max_user_namespaces_static_usr_local_lib_sysctld:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/local/lib/sysctl.d^.*\.conf$^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$1

user.max_user_namespaces static configuration  oval:ssg-test_sysctl_user_max_user_namespaces_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/sysctl.confuser.max_user_namespaces = 0
/etc/sysctl.d/99-sysctl.confuser.max_user_namespaces = 0

kernel runtime parameter user.max_user_namespaces set to 0  oval:ssg-test_sysctl_user_max_user_namespaces_runtime:tst:1  true

Following items have been found on the system:
NameValue
user.max_user_namespaces0
Install policycoreutils Packagexccdf_org.ssgproject.content_rule_package_policycoreutils_installed lowCCE-82976-2

Install policycoreutils Package

Rule IDxccdf_org.ssgproject.content_rule_package_policycoreutils_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_policycoreutils_installed:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82976-2

References:  CCI-001084, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010171, SV-230241r627750_rule

Description
The policycoreutils package can be installed with the following command: 
$ sudo yum install policycoreutils
Rationale
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on.
OVAL test results details

package policycoreutils is installed  oval:ssg-test_package_policycoreutils_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
policycoreutilsx86_64(none)20.el82.90:2.9-20.el8199e2f91fd431d51policycoreutils-0:2.9-20.el8.x86_64
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3

Configure SELinux Policy

Rule IDxccdf_org.ssgproject.content_rule_selinux_policytype
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_policytype:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80868-3

References:  BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010450, 1.6.1.3, SV-230282r854035_rule

Description
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale
Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.
OVAL test results details

Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file  oval:ssg-test_selinux_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/selinux/configSELINUXTYPE=targeted
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-80869-1

Ensure SELinux State is Enforcing

Rule IDxccdf_org.ssgproject.content_rule_selinux_state
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_state:def:1
Time2023-05-08T20:23:01+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80869-1

References:  BP28(R4), BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, RHEL-08-010170, 1.6.1.5, SV-230240r627750_rule

Description
The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: 
SELINUX=enforcing
Rationale
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
OVAL test results details

/selinux/enforce is 1  oval:ssg-test_etc_selinux_config:tst:1  true

Following items have been found on the system:
PathContent
/etc/selinux/configSELINUX=enforcing
Uninstall Automatic Bug Reporting Tool (abrt)xccdf_org.ssgproject.content_rule_package_abrt_removed mediumCCE-80948-3

Uninstall Automatic Bug Reporting Tool (abrt)

Rule IDxccdf_org.ssgproject.content_rule_package_abrt_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_abrt_removed:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80948-3

References:  CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Description
The Automatic Bug Reporting Tool (abrt) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrt package can be removed with the following command: 
$ sudo yum erase abrt
Rationale
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers.
OVAL test results details

package abrt is removed  oval:ssg-test_package_abrt_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type rpminfo_object
Name
abrt
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80878-2

Disable KDump Kernel Crash Analyzer (kdump)

Rule IDxccdf_org.ssgproject.content_rule_service_kdump_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_kdump_disabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80878-2

References:  11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, CCI-001665, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227, RHEL-08-010670, SV-230310r627750_rule

Description
The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: 
$ sudo systemctl mask --now kdump.service
Rationale
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
OVAL test results details

package kexec-tools is removed  oval:ssg-test_service_kdump_package_kexec-tools_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
kexec-toolsx86_64(none)6.el82.0.240:2.0.24-6.el8199e2f91fd431d51kexec-tools-0:2.0.24-6.el8.x86_64

Test that the kdump service is not running  oval:ssg-test_service_not_running_kdump:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_kdump:obj:1 of type systemdunitproperty_object
UnitProperty
^kdump\.(service|socket)$ActiveState

Test that the property LoadState from the service kdump is masked  oval:ssg-test_service_loadstate_is_masked_kdump:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_kdump:obj:1 of type systemdunitproperty_object
UnitProperty
^kdump\.(service|socket)$LoadState
Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-82191-8

Install fapolicyd Package

Rule IDxccdf_org.ssgproject.content_rule_package_fapolicyd_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_fapolicyd_installed:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82191-8

References:  CCI-001764, CCI-001774, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040135, SV-230523r854064_rule

Description
The fapolicyd package can be installed with the following command: 
$ sudo yum install fapolicyd
Rationale
fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights.
OVAL test results details

package fapolicyd is installed  oval:ssg-test_package_fapolicyd_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
fapolicydx86_64(none)8.el8_7.11.1.30:1.1.3-8.el8_7.1199e2f91fd431d51fapolicyd-0:1.1.3-8.el8_7.1.x86_64
Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-82249-4

Enable the File Access Policy Service

Rule IDxccdf_org.ssgproject.content_rule_service_fapolicyd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_fapolicyd_enabled:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82249-4

References:  CCI-001764, CCI-001774, CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040136, SV-244545r854074_rule

Description
The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command: 
$ sudo systemctl enable fapolicyd.service
Rationale
The fapolicyd service (File Access Policy Daemon) implements application whitelisting to decide file access rights.
OVAL test results details

package fapolicyd is installed  oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
fapolicydx86_64(none)8.el8_7.11.1.30:1.1.3-8.el8_7.1199e2f91fd431d51fapolicyd-0:1.1.3-8.el8_7.1.x86_64

Test that the fapolicyd service is running  oval:ssg-test_service_running_fapolicyd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
fapolicyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_fapolicyd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.xccdf_org.ssgproject.content_rule_fapolicy_default_deny mediumCCE-86478-5

Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

Rule IDxccdf_org.ssgproject.content_rule_fapolicy_default_deny
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-fapolicy_default_deny:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86478-5

References:  CCI-001764, CM-7 (2), CM-7 (5) (b), CM-6 b, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232, RHEL-08-040137, SV-244546r858730_rule

Description
The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.
Rationale
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
OVAL test results details

fapolicyd employs a deny-all policy in compiled.rules file  oval:ssg-test_fapolicy_default_deny_policy_with_rulesd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_fapolicy_default_deny_policy_compiled_rules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fapolicyd/compiled.rules^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z1

fapolicyd employs a deny-all policy in fapolicyd.rules file  oval:ssg-test_fapolicy_default_deny_policy_without_rulesd:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_fapolicy_default_deny_policy_fapolicyd_rules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fapolicyd/fapolicyd.rules^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z1

permissive mode is disabled in fapolicyd settings  oval:ssg-test_fapolicy_default_deny_enforcement:tst:1  true

Following items have been found on the system:
PathContent
/etc/fapolicyd/fapolicyd.conf permissive = 0
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-82414-4

Uninstall vsftpd Package

Rule IDxccdf_org.ssgproject.content_rule_package_vsftpd_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_vsftpd_removed:def:1
Time2023-05-08T20:23:01+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82414-4

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, Req-2.2.4, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040360, 2.2.8, SV-230558r627750_rule

Description
The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
Rationale
Removing the vsftpd package decreases the risk of its accidental activation.
OVAL test results details

package vsftpd is removed  oval:ssg-test_package_vsftpd_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
Name
vsftpd
Remove the Kerberos Server Packagexccdf_org.ssgproject.content_rule_package_krb5-server_removed mediumCCE-85887-8

Remove the Kerberos Server Package

Rule IDxccdf_org.ssgproject.content_rule_package_krb5-server_removed
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85887-8

References:  CCI-000803, IA-7, IA-7.1, SRG-OS-000120-GPOS-00061, RHEL-08-010163, SV-237640r646890_rule

Description
The krb5-server package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The krb5-server package can be removed with the following command: 
$ sudo yum erase krb5-server
The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.
Rationale
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems.
Disable Kerberos by removing host keytabxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab mediumCCE-82175-1

Disable Kerberos by removing host keytab

Rule IDxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82175-1

References:  CCI-000803, 0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, RHEL-08-010161, SV-230238r646862_rule

Description
Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
Rationale
The key derivation function (KDF) in Kerberos is not FIPS compatible.
Configure System to Forward All Mail From Postmaster to The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster mediumCCE-89063-2

Configure System to Forward All Mail From Postmaster to The Root Account

Rule IDxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-postfix_client_configure_mail_alias_postmaster:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-89063-2

References:  CCI-000139, AU-5(a), AU-5.1(ii), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule

Description
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". 
$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root
Rationale
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
OVAL test results details

Check if postmaster has the correct mail alias  oval:ssg-test_postfix_client_configure_mail_alias_postmaster:tst:1  true

Following items have been found on the system:
PathContent
/etc/aliasespostmaster: root
Prevent Unrestricted Mail Relayingxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay mediumCCE-84054-6

Prevent Unrestricted Mail Relaying

Rule IDxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-postfix_prevent_unrestricted_relay:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84054-6

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-040290, SV-230550r627750_rule

Description
Modify the 
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command: 
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
Rationale
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then

if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
	echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
else
	sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-84054-6
  - DISA-STIG-RHEL-08-040290
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_prevent_unrestricted_relay
  - restrict_strategy

- name: Prevent Unrestricted Mail Relaying
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/postfix/main.cf
      create: false
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/postfix/main.cf
    lineinfile:
      path: /etc/postfix/main.cf
      create: false
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/postfix/main.cf
    lineinfile:
      path: /etc/postfix/main.cf
      create: true
      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
      line: smtpd_client_restrictions = permit_mynetworks,reject
      state: present
  when:
  - '"postfix" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-84054-6
  - DISA-STIG-RHEL-08-040290
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_prevent_unrestricted_relay
  - restrict_strategy
OVAL test results details

tests the value of smtpd_client_restrictions setting in the /etc/postfix/main.cf file  oval:ssg-test_postfix_prevent_unrestricted_relay:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_postfix_prevent_unrestricted_relay:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/postfix/main.cf^[ \t]*smtpd_client_restrictions = (.+?)[ \t]*(?:$|#)1

The configuration file /etc/postfix/main.cf exists for postfix_prevent_unrestricted_relay  oval:ssg-test_postfix_prevent_unrestricted_relay_config_file_exists:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/postfix/main.cfregular0029369rw-r--r-- 
/etc/postfix/main.cf.protoregular0029130rw-r--r-- 
The Postfix package is installedxccdf_org.ssgproject.content_rule_package_postfix_installed mediumCCE-85983-5

The Postfix package is installed

Rule IDxccdf_org.ssgproject.content_rule_package_postfix_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_postfix_installed:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85983-5

References:  SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule

Description
A mail server is required for sending emails. The postfix package can be installed with the following command: 
$ sudo yum install postfix
Rationale
Emails can be used to notify designated personnel about important system events such as failures or warnings.
OVAL test results details

package postfix is installed  oval:ssg-test_package_postfix_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
postfixx86_6424.el83.5.82:3.5.8-4.el8199e2f91fd431d51postfix-2:3.5.8-4.el8.x86_64
Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-81039-0

Uninstall Sendmail Package

Rule IDxccdf_org.ssgproject.content_rule_package_sendmail_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_sendmail_removed:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81039-0

References:  BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, RHEL-08-040002, SV-230489r627750_rule

Description
Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command: 
$ sudo yum erase sendmail
Rationale
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
OVAL test results details

package sendmail is removed  oval:ssg-test_package_sendmail_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type rpminfo_object
Name
sendmail
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems mediumCCE-84052-0

Mount Remote Filesystems with nodev

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nodev_remote_filesystems:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84052-0

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-6(a), MP-2, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010640, SV-230307r627750_rule

Description
Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
OVAL test results details

no nfs  oval:ssg-test_no_nfs_defined_etc_fstab_nodev:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_nodev:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0

all nfs has nodev  oval:ssg-test_nfs_nodev_etc_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_nodev_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0
Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems mediumCCE-84050-4

Mount Remote Filesystems with noexec

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_noexec_remote_filesystems:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84050-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010630, SV-230306r627750_rule

Description
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
OVAL test results details

no nfs  oval:ssg-test_no_nfs_defined_etc_fstab_noexec:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_noexec:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0

all nfs has noexec  oval:ssg-test_nfs_noexec_etc_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_noexec_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-84053-8

Mount Remote Filesystems with nosuid

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_nosuid_remote_filesystems:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84053-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010650, SV-230308r627750_rule

Description
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
Rationale
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
OVAL test results details

no nfs  oval:ssg-test_no_nfs_defined_etc_fstab_nosuid:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0

all nfs has nosuid  oval:ssg-test_nfs_nosuid_etc_fstab:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w:-]+\]?[:=][/\w-]+\s+[/\w\\-]+\s+nfs[4]?\s+(.*)$0
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only lowCCE-82988-7

Disable chrony daemon from acting as server

Rule IDxccdf_org.ssgproject.content_rule_chronyd_client_only
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_client_only:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82988-7

References:  CCI-000381, AU-8(1), AU-12(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030741, SV-230485r627750_rule

Description
The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
Rationale
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
OVAL test results details

package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
chronyx86_64(none)1.el84.20:4.2-1.el8199e2f91fd431d51chrony-0:4.2-1.el8.x86_64

Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
chronyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

check if port is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_client_only:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.confport 0
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network lowCCE-82840-0

Disable network management of chrony daemon

Rule IDxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_no_chronyc_network:def:1
Time2023-05-08T20:23:01+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82840-0

References:  CCI-000381, CM-7(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030742, SV-230486r627750_rule

Description
The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
Rationale
Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
OVAL test results details

package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
chronyx86_64(none)1.el84.20:4.2-1.el8199e2f91fd431d51chrony-0:4.2-1.el8.x86_64

Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
chronyd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

check if cmdport is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_no_chronyc_network:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.confcmdport 0
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-84059-5

Configure Time Service Maxpoll Interval

Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_or_ntpd_set_maxpoll:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84059-5

References:  1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r877038_rule

Description
The maxpoll should be configured to 16 in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following after each `server`, `pool` or `peer` entry: 
maxpoll 16
to 
server
directives. If using chrony any 
pool
directives should be configured too. If no server or pool directives are configured, the rule evaluates to pass.
Rationale
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
OVAL test results details

check if no server entries in /etc/ntp.conf  oval:ssg-test_ntp_no_server:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_no_server_nor_pool:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server.*1

check if maxpoll is set in /etc/ntp.conf  oval:ssg-test_ntp_set_maxpoll:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server[\s]+[\S]+.*maxpoll[\s]+(\d+)1

check if all server entries have maxpoll set in /etc/ntp.conf  oval:ssg-test_ntp_all_server_has_maxpoll:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ntp.conf^server[\s]+[\S]+[\s]+(.*)1

check if no server entries have server or pool set in /etc/chrony.conf  oval:ssg-test_chrony_no_server_nor_pool:tst:1  false

Following items have been found on the system:
PathContent
/etc/chrony.d/servers.confserver 0.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 2.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 1.rhel.pool.ntp.org iburst maxpoll 16

check if maxpoll is set in /etc/chrony.conf  oval:ssg-test_chrony_set_maxpoll:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.d/servers.confserver 2.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 0.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 1.rhel.pool.ntp.org iburst maxpoll 16

check if all server entries have maxpoll set in /etc/chrony.conf  oval:ssg-test_chrony_all_server_has_maxpoll:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.d/servers.confserver 1.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 0.rhel.pool.ntp.org iburst maxpoll 16
/etc/chrony.d/servers.confserver 2.rhel.pool.ntp.org iburst maxpoll 16
Ensure Chrony is only configured with the server directivexccdf_org.ssgproject.content_rule_chronyd_server_directive mediumCCE-86077-5

Ensure Chrony is only configured with the server directive

Rule IDxccdf_org.ssgproject.content_rule_chronyd_server_directive
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_server_directive:def:1
Time2023-05-08T20:23:01+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86077-5

References:  CCI-001891, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r877038_rule

Description
Check that Chrony only has time sources configured with the server directive.
Rationale
Depending on the infrastruture being used the pool directive may not be supported.
Warnings
warning  This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
OVAL test results details

Ensure at least one time source is set with server directive  oval:ssg-test_chronyd_server_directive_with_server:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.d/servers.confserver 0.rhel.pool.ntp.org iburst maxpoll 16

Ensure no time source is set with pool directive  oval:ssg-test_chronyd_server_directive_no_pool:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_no_pool_directive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/chrony\.(conf|d/.+\.conf)$^[\s]+pool.*$1
Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-82184-3

Uninstall rsh-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_rsh-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsh-server_removed:def:1
Time2023-05-08T20:23:01+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82184-3

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule

Description
The rsh-server package can be removed with the following command: 
$ sudo yum erase rsh-server
Rationale
The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
OVAL test results details

package rsh-server is removed  oval:ssg-test_package_rsh-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type rpminfo_object
Name
rsh-server
Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files highCCE-84055-3

Remove Host-Based Authentication Files

Rule IDxccdf_org.ssgproject.content_rule_no_host_based_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_host_based_files:def:1
Time2023-05-08T20:23:01+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-84055-3

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010460, SV-230283r627750_rule

Description
The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo rm /[path]/[to]/[file]/shosts.equiv
Rationale
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
OVAL test results details

look for shosts.equiv in /  oval:ssg-test_no_shosts_equiv:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type file_object
BehaviorsPathFilename
no value/shosts.equiv
Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files highCCE-84056-1

Remove User Host-Based Authentication Files

Rule IDxccdf_org.ssgproject.content_rule_no_user_host_based_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_user_host_based_files:def:1
Time2023-05-08T20:23:02+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-84056-1

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010470, SV-230284r627750_rule

Description
The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo find / -name '.shosts' -type f -delete
Rationale
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
OVAL test results details

look for .shosts in /  oval:ssg-test_no_shosts:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type file_object
BehaviorsPathFilename
no value/.shosts
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7

Uninstall telnet-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_telnet-server_removed:def:1
Time2023-05-08T20:23:02+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82182-7

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule

Description
The telnet-server package can be removed with the following command: 
$ sudo yum erase telnet-server
Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
OVAL test results details

package telnet-server is removed  oval:ssg-test_package_telnet-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
Name
telnet-server
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-82436-7

Uninstall tftp-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_tftp-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tftp-server_removed:def:1
Time2023-05-08T20:23:02+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82436-7

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule

Description
The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
Rationale
Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
OVAL test results details

package tftp-server is removed  oval:ssg-test_package_tftp-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
Name
tftp-server
Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode mediumCCE-82434-2

Ensure tftp Daemon Uses Secure Mode

Rule IDxccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
Result
notapplicable
Multi-check ruleno
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82434-2

References:  11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(b), AC-6, CM-7(a), PR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040350, SV-230557r627750_rule

Description
If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example: 
server_args = -s /var/lib/tftpboot
Rationale
Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.
Verify the SSH Private Key Files Have a Passcodexccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected mediumCCE-90781-6

Verify the SSH Private Key Files Have a Passcode

Rule IDxccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected
Result
notchecked
Multi-check ruleno
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-90781-6

References:  SRG-OS-000067-GPOS-00035, RHEL-08-010100, SV-230230r627750_rule

Description
When creating SSH key pairs, always use a passcode.
You can create such keys with the following command: 
$ sudo ssh-keygen -n [passphrase]
Red Hat Enterprise Linux 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
Rationale
If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.
Evaluation messages
info  
No candidate or applicable check found.
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9

Set SSH Client Alive Count Max

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_keepalive:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80907-9

References:  BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, RHEL-08-010200, 5.2.20, SV-230244r858697_rule

Description
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
Rationale
This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveCountMax 1 #UseDNS no
/etc/ssh/sshd_configClientAliveCountMax 1
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-80896-4

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_empty_passwords:def:1
Time2023-05-08T20:23:02+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80896-4

References:  NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, RHEL-08-020330, 5.2.9, SV-230380r858715_rule

Description
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_empty_passwords:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitEmptyPasswords no

Verify that the value of PermitEmptyPasswords is present  oval:ssg-test_PermitEmptyPasswords_present_sshd_disable_empty_passwords:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitEmptyPasswords no
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80897-2

Disable GSSAPI Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_gssapi_auth:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80897-2

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010522, SV-244528r858709_rule

Description
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config: 
GSSAPIAuthentication no
Rationale
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_gssapi_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configGSSAPIAuthentication no

Verify that the value of GSSAPIAuthentication is present  oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configGSSAPIAuthentication no
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80898-0

Disable Kerberos Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_kerb_auth:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80898-0

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010521, SV-230291r858707_rule

Description
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: 
KerberosAuthentication no
Rationale
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_kerb_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configKerberosAuthentication no

Verify that the value of KerberosAuthentication is present  oval:ssg-test_KerberosAuthentication_present_sshd_disable_kerb_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configKerberosAuthentication no
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-80902-0

Disable SSH Support for User Known Hosts

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_user_known_hosts:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80902-0

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, RHEL-08-010520, SV-230290r858705_rule

Description
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
IgnoreUserKnownHosts yes
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_user_known_hosts:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configIgnoreUserKnownHosts yes

Verify that the value of IgnoreUserKnownHosts is present  oval:ssg-test_IgnoreUserKnownHosts_present_sshd_disable_user_known_hosts:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configIgnoreUserKnownHosts yes
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-83360-8

Disable X11 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_x11_forwarding:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83360-8

References:  CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r858721_rule

Description
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: 
X11Forwarding no
Rationale
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11Forwarding no

Verify that the value of X11Forwarding is present  oval:ssg-test_X11Forwarding_present_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11Forwarding no
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-80903-8

Do Not Allow SSH Environment Options

Rule IDxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_do_not_permit_user_env:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80903-8

References:  11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.6, SRG-OS-000480-GPOS-00229, RHEL-08-010830, 5.2.10, SV-230330r877377_rule

Description
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config: 
PermitUserEnvironment no
Rationale
SSH environment options potentially allow users to bypass access restriction in some configurations.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_do_not_permit_user_env:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitUserEnvironment no

Verify that the value of PermitUserEnvironment is present  oval:ssg-test_PermitUserEnvironment_present_sshd_do_not_permit_user_env:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitUserEnvironment no
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80904-6

Enable Use of Strict Mode Checking

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_strictmodes:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80904-6

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010500, SV-230288r858701_rule

Description
SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config: 
StrictModes yes
Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of StrictModes setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_strictmodes:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configStrictModes yes

Verify that the value of StrictModes is present  oval:ssg-test_StrictModes_present_sshd_enable_strictmodes:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configStrictModes yes
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-80905-3

Enable SSH Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_warning_banner:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80905-3

References:  1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.6, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r858694_rule

Description
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
Rationale
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of Banner setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_warning_banner:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configBanner /etc/issue

Verify that the value of Banner is present  oval:ssg-test_Banner_present_sshd_enable_warning_banner:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configBanner /etc/issue
Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-82281-7

Enable SSH Print Last Log

Rule IDxccdf_org.ssgproject.content_rule_sshd_print_last_log
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_print_last_log:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82281-7

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, SRG-OS-000480-GPOS-00227, RHEL-08-020350, SV-230382r858717_rule

Description
Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config: 
PrintLastLog yes
Rationale
Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_print_last_log:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPrintLastLog yes

Verify that the value of PrintLastLog is present  oval:ssg-test_PrintLastLog_present_sshd_print_last_log:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPrintLastLog yes
Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit mediumCCE-82177-7

Force frequent session key renegotiation

Rule IDxccdf_org.ssgproject.content_rule_sshd_rekey_limit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_rekey_limit:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82177-7

References:  CCI-000068, FCS_SSH_EXT.1.8, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014, RHEL-08-040161, SV-230527r877398_rule

Description
The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.
To decrease the default limits, add or correct the following line in /etc/ssh/sshd_config: 
RekeyLimit 1G 1h
Rationale
By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of RekeyLimit setting in the file  oval:ssg-test_sshd_rekey_limit:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configRekeyLimit 1G 1h
Use Only FIPS 140-2 Validated Key Exchange Algorithmsxccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig mediumCCE-86059-3

Use Only FIPS 140-2 Validated Key Exchange Algorithms

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_approved_kex_ordered_stig:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86059-3

References:  CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, RHEL-08-040342, SV-255924r880733_rule

Description
Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config 
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms.
Rationale
DoD information systems are required to use FIPS-approved key exchange algorithms. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive.
warning  System crypto modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this requirements, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
redhat-releasex86_64(none)0.3.el88.70:8.7-0.3.el8199e2f91fd431d51redhat-release-0:8.7-0.3.el8.x86_64

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseVERSION_ID="8.7"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="rhel"

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseVERSION_ID="8.7"

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of Kex algorithms setting in the /etc/crypto-policies/back-ends/opensshserver.config file  oval:ssg-test_sshd_use_approved_kex_ordered_stig:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/back-ends/opensshserver.configCRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'
SSH server uses strong entropy to seedxccdf_org.ssgproject.content_rule_sshd_use_strong_rng lowCCE-82462-3

SSH server uses strong entropy to seed

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_strong_rng
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_strong_rng:def:1
Time2023-05-08T20:23:02+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82462-3

References:  CCI-000366, FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00232, SRG-OS-000480-GPOS-00227, RHEL-08-010292, SV-230253r627750_rule

Description
To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line 
SSH_USE_STRONG_RNG=32
Rationale
SSH implementation in Red Hat Enterprise Linux 8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.
Warnings
warning  This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.
OVAL test results details

tests the value of SSH_USE_STRONG_RNG setting in the /etc/sysconfig/sshd file  oval:ssg-test_sshd_use_strong_rng:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysconfig/sshdSSH_USE_STRONG_RNG=32
Prevent remote hosts from connecting to the proxy displayxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost mediumCCE-84058-7

Prevent remote hosts from connecting to the proxy display

Rule IDxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_x11_use_localhost:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84058-7

References:  CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040341, SV-230556r858723_rule

Description
The SSH daemon should prevent remote hosts from connecting to the proxy display.
The default SSH configuration for X11UseLocalhost is yes, which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config: X11UseLocalhost yes
Rationale
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_x11_use_localhost:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11UseLocalhost yes

Verify that the value of X11UseLocalhost is present  oval:ssg-test_X11UseLocalhost_present_sshd_x11_use_localhost:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11UseLocalhost yes
Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-83303-8

Install the OpenSSH Server Package

Rule IDxccdf_org.ssgproject.content_rule_package_openssh-server_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_openssh-server_installed:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83303-8

References:  13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040159, SV-244549r854078_rule

Description
The openssh-server package should be installed. The openssh-server package can be installed with the following command: 
$ sudo yum install openssh-server
Rationale
Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
OVAL test results details

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64
Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-82426-8

Enable the OpenSSH Service

Rule IDxccdf_org.ssgproject.content_rule_service_sshd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_sshd_enabled:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82426-8

References:  13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040160, SV-230526r854067_rule

Description
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: 
$ sudo systemctl enable sshd.service
Rationale
Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
OVAL test results details

package openssh-server is installed  oval:ssg-test_service_sshd_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)17.el8_78.0p10:8.0p1-17.el8_7199e2f91fd431d51openssh-server-0:8.0p1-17.el8_7.x86_64

Test that the sshd service is running  oval:ssg-test_service_running_sshd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
sshd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_sshd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_sshd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-82424-3

Verify Permissions on SSH Server Private *_key Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_private_key:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82424-3

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010490, 5.2.2, SV-230287r880714_rule

Description
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.
Rationale
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
OVAL test results details

No keys that have unsafe ownership/permissions combination exist  oval:ssg-test_no_offending_keys:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_offending_keys:obj:1 of type file_object
PathFilenameFilterFilterFilter
/etc/ssh.*_key$oval:ssg-exclude_symlinks__sshd_private_key:ste:1oval:ssg-filter_ssh_key_owner_root:ste:1oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-82428-4

Verify Permissions on SSH Server Public *.pub Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_pub_key:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82428-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010480, 5.2.3, SV-230286r627750_rule

Description
To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
Rationale
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
OVAL test results details

Testing mode of /etc/ssh/  oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/ssh^.*\.pub$oval:ssg-exclude_symlinks__sshd_pub_key:ste:1oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1
Certificate status checking in SSSDxccdf_org.ssgproject.content_rule_sssd_certificate_verification mediumCCE-86120-3

Certificate status checking in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_certificate_verification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_certificate_verification:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86120-3

References:  CCI-001948, CCI-001954, IA-2(11), SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, RHEL-08-010400, SV-230274r858741_rule

Description
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards. Configuring certificate_verification to ocsp_dgst=sha1 ensures that certificates for multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
Rationale
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system.
OVAL test results details

test the value of certificate_verification in sssd configuration  oval:ssg-test_sssd_certificate_verification:tst:1  true

Following items have been found on the system:
PathContent
/etc/sssd/conf.d/certificate_verification.conf[sssd] certificate_verification = ocsp_dgst = sha1
Enable Certmap in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_certmap mediumCCE-86060-1

Enable Certmap in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_enable_certmap
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_enable_certmap:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86060-1

References:  CCI-000187, IA-5 (2) (c), SRG-OS-000068-GPOS-00036, RHEL-08-020090, SV-230355r858743_rule

Description
SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like certmap/testing.test/rule_name is setup in /etc/sssd/sssd.conf. For example 
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
Rationale
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
Warnings
warning  Automatic remediation of this control is not available, since all of the settings in in the certmap need to be customized.
OVAL test results details

tests the presence of '\[certmap\/.+\/.+\]' setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_enable_certmap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_certmap:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^[\s]*\[certmap\/.+\/.+\][\s]*$1
Enable Smartcards in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards mediumCCE-80909-5

Enable Smartcards in SSSD

Rule IDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_enable_smartcards:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80909-5

References:  CCI-001954, CCI-000765, CCI-000766, CCI-000767, CCI-000768, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, Req-8.3, SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, RHEL-08-020250, SV-230372r627750_rule

Description
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to True under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
pam_cert_auth = True
Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example: 
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to include the "allow_missing_name" option, like in the following example: 
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
OVAL test results details

tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_enable_smartcards:tst:1  true

Following items have been found on the system:
PathContent
/etc/sssd/sssd.conf[pam] pam_cert_auth = True

tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/smartcard-auth  oval:ssg-test_sssd_enable_smartcards_allow_missing_name_smartcard_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/smartcard-authauth sufficient pam_sss.so allow_missing_name

tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/system-auth  oval:ssg-test_sssd_enable_smartcards_cert_auth_system_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration mediumCCE-82460-7

Configure SSSD to Expire Offline Credentials

Rule IDxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sssd_offline_cred_expiration:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82460-7

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-002007, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, RHEL-08-020290, SV-230376r854036_rule

Description
SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command: 
$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true
If "cache_credentials" is set to "false" or is missing no further checks are required.
To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
offline_credentials_expiration = 1
Rationale
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
OVAL test results details

tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_offline_cred_expiration:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_offline_cred_expiration:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1\s*(?:#.*)?$1

tests the value of cache_credentials setting in the /etc/sssd/sssd.conf file  oval:ssg-test_sssd_cache_credentials:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_cache_credentials:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^[\s]*cache_credentials\s*=\s*(\w+)\s*(?:#.*)?$1
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82959-8

Install usbguard Package

Rule IDxccdf_org.ssgproject.content_rule_package_usbguard_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_usbguard_installed:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82959-8

References:  CCI-001958, 1418, CM-8(3), IA-3, SRG-OS-000378-GPOS-00163, RHEL-08-040139, SV-244547r854076_rule

Description
The usbguard package can be installed with the following command: 
$ sudo yum install usbguard
Rationale
usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.
OVAL test results details

package usbguard is installed  oval:ssg-test_package_usbguard_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
usbguardx86_64(none)8.el8_7.21.0.00:1.0.0-8.el8_7.2199e2f91fd431d51usbguard-0:1.0.0-8.el8_7.2.x86_64
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82853-3

Enable the USBGuard Service

Rule IDxccdf_org.ssgproject.content_rule_service_usbguard_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_usbguard_enabled:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82853-3

References:  CCI-000416, CCI-001958, 1418, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040141, SV-244548r854077_rule

Description
The USBGuard service should be enabled. The usbguard service can be enabled with the following command: 
$ sudo systemctl enable usbguard.service
Rationale
The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.
OVAL test results details

package usbguard is installed  oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
usbguardx86_64(none)8.el8_7.21.0.00:1.0.0-8.el8_7.2199e2f91fd431d51usbguard-0:1.0.0-8.el8_7.2.x86_64

Test that the usbguard service is running  oval:ssg-test_service_running_usbguard:tst:1  true

Following items have been found on the system:
UnitPropertyValue
usbguard.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_usbguard:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service

systemd test  oval:ssg-test_multi_user_wants_usbguard_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetsystemd-machine-id-commit.servicesystemd-sysctl.servicesystemd-hwdb-update.servicesystemd-ask-password-console.pathsys-fs-fuse-connections.mountlvm2-monitor.servicekmod-static-nodes.servicesystemd-tmpfiles-setup-dev.servicesys-kernel-debug.mountselinux-autorelabel-mark.servicesystemd-modules-load.serviceplymouth-read-write.servicesystemd-udev-trigger.servicesystemd-random-seed.servicesystemd-firstboot.servicenis-domainname.servicedracut-shutdown.servicesystemd-journald.servicedev-hugepages.mountswap.targetldconfig.servicesystemd-udevd.servicesystemd-tmpfiles-setup.serviceloadmodules.serviceplymouth-start.servicesystemd-journal-catalog-update.servicelvm2-lvmpolld.socketsystemd-update-done.serviceimport-state.servicecryptsetup.targetsystemd-journal-flush.servicesystemd-sysusers.servicedev-mqueue.mountrngd.servicelocal-fs.targetvar-log.mountvar-log-audit.mountvar.mountvar-tmp.mounthome.mountsystemd-remount-fs.servicetmp.mountsystemd-update-utmp.serviceproc-sys-fs-binfmt_misc.automountsystemd-binfmt.servicesys-kernel-config.mountmicrocode.serviceusbguard.servicetimers.targetsystemd-tmpfiles-clean.timerunbound-anchor.timerdnf-makecache.timerslices.target-.slicesystem.slicesockets.targetsystemd-journald.socketsystemd-journald-dev-log.socketdbus.socketsystemd-coredump.socketsystemd-initctl.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsssd-kcm.socketpcscd.socketdm-event.socketpaths.targetirqbalance.servicerhsmcertd.servicefirewalld.servicesystemd-logind.servicesystemd-update-utmp-runlevel.servicersyslog.serviceNetworkManager.servicesshd.servicesssd.servicegetty.targetserial-getty@ttyS0.servicegetty@tty1.serviceamazon-ssm-agent.serviceauditd.servicesystemd-ask-password-wall.pathremote-fs.targetcloud-init.targetcloud-init-local.servicecloud-init.servicecloud-final.servicecloud-config.servicechronyd.servicecrond.servicefapolicyd.servicesystemd-user-sessions.serviceplymouth-quit.servicedbus.serviceplymouth-quit-wait.service
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend lowCCE-82168-6

Log USBGuard daemon audit events using Linux Audit

Rule IDxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_usbguard_auditbackend:def:1
Time2023-05-08T20:23:02+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82168-6

References:  CCI-000169, CCI-000172, AU-2, CM-8(3), IA-3, FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, RHEL-08-030603, SV-230470r744006_rule

Description
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.
Rationale
Using the Linux Audit logging allows for centralized trace of events.
OVAL test results details

tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file  oval:ssg-test_configure_usbguard_auditbackend:tst:1  true

Following items have been found on the system:
PathContent
/etc/usbguard/usbguard-daemon.confAuditBackend=LinuxAudit

The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend  oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/usbguard/usbguard-daemon.confregular006417rw------- 
/etc/usbguard/usbguard-daemon.conf.bakregular006418rw------- 
Generate USBGuard Policyxccdf_org.ssgproject.content_rule_usbguard_generate_policy mediumCCE-83774-0

Generate USBGuard Policy

Rule IDxccdf_org.ssgproject.content_rule_usbguard_generate_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-usbguard_generate_policy:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83774-0

References:  CCI-000416, CCI-001958, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040140, SV-230524r854065_rule

Description
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices.
Rationale
The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible.
OVAL test results details

Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists  oval:ssg-test_usbguard_rules_nonempty:tst:1  true

Following items have been found on the system:
PathContent
/etc/usbguard/rules.conf# No USB devices found
Disable graphical user interfacexccdf_org.ssgproject.content_rule_xwindows_remove_packages mediumCCE-83411-9

Disable graphical user interface

Rule IDxccdf_org.ssgproject.content_rule_xwindows_remove_packages
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-xwindows_remove_packages:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83411-9

References:  CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040320, SV-230553r809324_rule

Description
By removing the following packages, the system no longer has X Windows installed. xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: 
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
Rationale
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
Warnings
warning  The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target. If a GUI is an operational requirement, a tailored profile that removes this rule should be used before continuing installation.
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. X11 graphic libraries are dependency of OpenStack Cinderlib storage provider.
OVAL test results details

package xorg-x11-server-Xorg is removed  oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xorg_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-Xorg

package xorg-x11-server-common is removed  oval:ssg-test_package_xorg-x11-server-common_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-common

package xorg-x11-server-utils is removed  oval:ssg-package_xorg-x11-server-utils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-utils_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-utils

package xorg-x11-server-Xwayland is removed  oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xwayland_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-Xwayland
Disable X Windows Startup By Setting Default Targetxccdf_org.ssgproject.content_rule_xwindows_runlevel_target mediumCCE-83380-6

Disable X Windows Startup By Setting Default Target

Rule IDxccdf_org.ssgproject.content_rule_xwindows_runlevel_target
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-xwindows_runlevel_target:def:1
Time2023-05-08T20:23:02+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83380-6

References:  12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040321, 2.2.2, SV-251718r809378_rule

Description
Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run: 
$ systemctl set-default multi-user.target
You should see the following output: 
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
Rationale
Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented.
OVAL test results details

default.target systemd softlink exists  oval:ssg-test_disable_xwindows_runlevel_target:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/systemd/system/default.target/usr/lib/systemd/system/multi-user.target
Scroll back to the first rule
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.