Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply. This baseline implements configuration requirements from the following documents: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) - DISA Operating System Security Requirements Guide (OS SRG) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus process.

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetlocalhost.localdomain
Benchmark URL/tmp/tmp.3vRl0paVTE/input.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-7
Profile IDxccdf_org.ssgproject.content_profile_ospp-rhel7
Started at2018-04-30T11:14:12
Finished at2018-04-30T11:15:54
Performed byroot

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode

Addresses

  • IPv4  127.0.0.1
  • IPv4  192.168.122.162
  • MAC  00:00:00:00:00:00
  • MAC  52:54:00:40:5F:9E

Compliance and Scoring

The target system did not satisfy the conditions of 6 rules! Please review rule results and consider applying remediation.

Rule results

350 passed
6 failed
3 other

Severity of failed rules

0 other
1 low
2 medium
3 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default98.654800100.000000
98.65%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 6x fail 3x notchecked
System Settings 5x fail 3x notchecked
Installing and Maintaining Software 2x fail 2x notchecked
Disk Partitioning 1x notchecked
Encrypt Partitionshigh
notchecked
Updating Software 1x fail 1x notchecked
Ensure Red Hat GPG Key Installedhigh
pass
Ensure gpgcheck Enabled In Main Yum Configurationhigh
pass
Ensure gpgcheck Enabled For All Yum Package Repositorieshigh
pass
Ensure Software Patches Installedhigh
notchecked
Ensure YUM Removes Previous Package Versionslow
pass
Ensure gpgcheck Enabled for Local Packageshigh
pass
Ensure gpgcheck Enabled for Repository Metadatahigh
fail
System and Software Integrity 1x fail
Software Integrity Checking
Verify Integrity with AIDE
Install AIDEmedium
pass
Build and Test AIDE Databasemedium
pass
Configure Periodic Execution of AIDEmedium
pass
Configure Notification of Post-AIDE Scan Detailsmedium
pass
Configure AIDE to Verify Access Control Lists (ACLs)medium
pass
Configure AIDE to Verify Extended Attributesmedium
pass
Configure AIDE to Use FIPS 140-2 for Validating Hashesmedium
pass
Verify Integrity with RPM
Verify and Correct File Permissions with RPMhigh
pass
Verify File Hashes with RPMhigh
pass
Endpoint Protection Software 1x fail
Install Intrusion Detection Softwarehigh
pass
Install Virus Scanning Softwarehigh
fail
Federal Information Processing Standard (FIPS)
Install the dracut-fips Packagemedium
pass
Enable FIPS Mode in GRUB2high
pass
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supported and Certifiedhigh
pass
GNOME Desktop Environment
Disable the GNOME3 Login User Listmedium
pass
Disable the GNOME3 Login Restart and Shutdown Buttonshigh
pass
Enable the GNOME3 Login Smartcard Authenticationmedium
pass
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeoutmedium
pass
Enable GNOME3 Screensaver Idle Activationmedium
pass
Enable GNOME3 Screensaver Lock After Idle Periodmedium
pass
Set GNOME3 Screensaver Lock Delay After Activation Periodmedium
pass
Implement Blank Screensaverlow
pass
Ensure Users Cannot Change GNOME3 Screensaver Settingsmedium
pass
Ensure Users Cannot Change GNOME3 Session Idle Settingsmedium
pass
GNOME System Settings
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3high
pass
Disable User Administration in GNOME3high
pass
Disable Geolocation in GNOME3medium
pass
GNOME Network Settings
Disable WIFI Network Connection Creation in GNOME3medium
pass
Disable WIFI Network Notification in GNOME3medium
pass
GNOME Remote Access Settings
Require Credential Prompting for Remote Access in GNOME3medium
pass
Require Encryption for Remote Access in GNOME3medium
pass
GNOME Media Settings
Disable GNOME3 Automountinglow
pass
Disable All GNOME3 Thumbnailerslow
pass
File Permissions and Masks
Restrict Partition Mount Options
Add nodev Option to Removable Media Partitionslow
pass
Add noexec Option to Removable Media Partitionslow
pass
Add nosuid Option to Removable Media Partitionslow
pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Modprobe Loading of USB Storage Drivermedium
pass
Disable Kernel Support for USB via Bootloader Configurationlow
pass
Disable the Automountermedium
pass
Disable Mounting of cramfslow
pass
Disable Mounting of freevxfslow
pass
Disable Mounting of jffs2low
pass
Disable Mounting of hfslow
pass
Disable Mounting of hfspluslow
pass
Disable Mounting of squashfslow
pass
Verify Permissions on Important Files and Directories
Ensure All Files Are Owned by a Usermedium
pass
Ensure All Files Are Owned by a Groupmedium
pass
Ensure All World-Writable Directories Are Owned by a System Accountlow
pass
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable Core Dumps for SUID programslow
pass
Enable ExecShield
Enable ExecShieldmedium
pass
Enable Randomized Layout of Virtual Address Spacemedium
pass
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems
Install PAE Kernel on Supported 32-bit x86 Systemslow
pass
Restrict Access to Kernel Message Bufferlow
pass
SELinux
SELinux - Booleans
Disable the abrt_anon_write SELinux Booleanmedium
pass
Disable the abrt_handle_event SELinux Booleanmedium
pass
Disable the abrt_upload_watch_anon_write SELinux Booleanmedium
pass
Enable the auditadm_exec_content SELinux Booleanmedium
pass
Disable the cron_can_relabel SELinux Booleanmedium
pass
Disable the cron_system_cronjob_use_shares SELinux Booleanmedium
pass
Enable the cron_userdomain_transition SELinux Booleanmedium
pass
Disable the daemons_dump_core SELinux Booleanmedium
pass
Disable the daemons_use_tcp_wrapper SELinux Booleanmedium
pass
Disable the daemons_use_tty SELinux Booleanmedium
pass
Disable the deny_execmem SELinux Booleanmedium
pass
Disable the deny_ptrace SELinux Booleanmedium
pass
Enable the domain_fd_use SELinux Booleanmedium
pass
Disable the domain_kernel_load_modules SELinux Booleanmedium
pass
Enable the fips_mode SELinux Booleanmedium
pass
Disable the gpg_web_anon_write SELinux Booleanmedium
pass
Disable the guest_exec_content SELinux Booleanmedium
pass
Enable the kerberos_enabled SELinux Booleanmedium
pass
Enable the logadm_exec_content SELinux Booleanmedium
pass
Disable the logging_syslogd_can_sendmail SELinux Booleanmedium
pass
Enable the logging_syslogd_use_tty SELinux Booleanmedium
pass
Disable the mmap_low_allowed SELinux Booleanmedium
pass
Disable the mock_enable_homedirs SELinux Booleanmedium
pass
Enable the mount_anyfile SELinux Booleanmedium
pass
Disable the polyinstantiation_enabled SELinux Booleanmedium
pass
Enable the secadm_exec_content SELinux Booleanmedium
pass
Disable the secure_mode_insmod SELinux Booleanmedium
pass
Disable the secure_mode SELinux Booleanmedium
pass
Disable the secure_mode_policyload SELinux Booleanmedium
pass
Configure the selinuxuser_direct_dri_enabled SELinux Booleanmedium
pass
Disable the selinuxuser_execheap SELinux Booleanmedium
pass
Enable the selinuxuser_execmod SELinux Booleanmedium
pass
disable the selinuxuser_execstack SELinux Booleanmedium
pass
Disable the selinuxuser_mysql_connect_enabled SELinux Booleanmedium
pass
Enable the selinuxuser_ping SELinux Booleanmedium
pass
Disable the selinuxuser_postgresql_connect_enabled SELinux Booleanmedium
pass
Disable the selinuxuser_rw_noexattrfile SELinux Booleanmedium
pass
Disable the selinuxuser_share_music SELinux Booleanmedium
pass
Disable the selinuxuser_tcp_server SELinux Booleanmedium
pass
Disable the selinuxuser_udp_server SELinux Booleanmedium
pass
Disable the selinuxuser_use_ssh_chroot SELinux Booleanmedium
pass
Disable the ssh_chroot_rw_homedirs SELinux Booleanmedium
pass
Disable the ssh_keysign SELinux Booleanmedium
pass
Enable the staff_exec_content SELinux Booleanmedium
pass
Enable the sysadm_exec_content SELinux Booleanmedium
pass
Disable the use_ecryptfs_home_dirs SELinux Booleanmedium
pass
Enable the user_exec_content SELinux Booleanmedium
pass
Disable the xdm_bind_vnc_tcp_port SELinux Booleanmedium
pass
Disable the xdm_exec_bootloader SELinux Booleanmedium
pass
Disable the xdm_write_home SELinux Booleanmedium
pass
Disable the xguest_connect_network SELinux Booleanmedium
pass
Disable the xguest_exec_content SELinux Booleanmedium
pass
Disable the xguest_mount_media SELinux Booleanmedium
pass
Disable the xguest_use_bluetooth SELinux Booleanmedium
pass
Disable the xserver_clients_write_xshm SELinux Booleanmedium
pass
Disable the xserver_execmem SELinux Booleanmedium
pass
Disable the xserver_object_manager SELinux Booleanmedium
pass
Ensure SELinux Not Disabled in /etc/default/grubmedium
pass
Ensure SELinux State is Enforcinghigh
pass
Configure SELinux Policyhigh
pass
Ensure No Daemons are Unconfined by SELinuxmedium
pass
Ensure No Device Files are Unlabeled by SELinuxmedium
pass
Account and Access Control 1x fail
Protect Accounts by Restricting Password-Based Login
Restrict Root Logins
Direct root Logins Not Allowedmedium
pass
Restrict Serial Port Root Loginslow
pass
Verify Only Root Has UID 0high
pass
Verify Proper Storage and Existence of Password Hashes
Prevent Log In to Accounts With Empty Passwordhigh
pass
Verify All Account Password Hashes are Shadowedmedium
pass
All GIDs referenced in /etc/passwd must be defined in /etc/grouplow
pass
Set Password Expiration Parameters
Protect Accounts by Configuring PAM
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Set Password Retry Prompts Permitted Per-Sessionlow
pass
Set Password Maximum Consecutive Repeating Charactersmedium
pass
Set Password to Maximum of Consecutive Repeating Characters from Same Character Classmedium
pass
Set Password Strength Minimum Digit Charactersmedium
pass
Set Password Minimum Lengthmedium
pass
Set Password Strength Minimum Uppercase Charactersmedium
pass
Set Password Strength Minimum Special Charactersmedium
pass
Set Password Strength Minimum Lowercase Charactersmedium
pass
Set Password Strength Minimum Different Charactersmedium
pass
Set Password Strength Minimum Different Categoriesmedium
pass
Set Lockouts for Failed Password Attempts
Set Deny For Failed Password Attemptsmedium
pass
Set Lockout Time For Failed Password Attemptsmedium
pass
Configure the root Account for Failed Password Attemptsmedium
pass
Set Interval For Counting Failed Password Attemptsmedium
pass
Limit Password Reusemedium
pass
Set Password Hashing Algorithm
Set PAM's Password Hashing Algorithmmedium
pass
Set Password Hashing Algorithm in /etc/login.defsmedium
pass
Set Password Hashing Algorithm in /etc/libuser.confmedium
pass
Secure Session Configuration Files for Login Accounts
Ensure that Users Have Sensible Umask Values
Set Interactive Session Timeoutmedium
pass
Ensure the Logon Failure Delay is Set Correctly in login.defslow
pass
Protect Physical Console Access 1x fail
Set Boot Loader Password 1x fail
Verify /boot/grub2/grub.cfg User Ownershipmedium
pass
Verify /boot/grub2/grub.cfg Group Ownershipmedium
pass
Verify /boot/grub2/grub.cfg Permissionsmedium
pass
Set Boot Loader Passwordhigh
fail
Set the UEFI Boot Loader Passwordmedium
pass
Configure Screen Locking
Configure Console Screen Locking
Install the screen Packagemedium
pass
Enable Smart Card Loginmedium
pass
Require Authentication for Single User Modemedium
pass
Disable debug-shell SystemD Servicemedium
pass
Disable Ctrl-Alt-Del Burst Actionhigh
pass
Disable Ctrl-Alt-Del Reboot Activationhigh
pass
Verify that Interactive Boot is Disabledmedium
pass
Warning Banners for System Accesses
Enable GNOME3 Login Warning Bannermedium
pass
Modify the System Login Bannermedium
pass
Network Configuration and Firewalls 1x fail 1x notchecked
Kernel Parameters Which Affect Networking
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects by Defaultmedium
pass
Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesmedium
pass
Disable Kernel Parameter for IP Forwardingmedium
pass
Network Related Kernel Runtime Parameters for Hosts and Routers
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesmedium
pass
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesmedium
pass
Configure Kernel Parameter for Accepting Secure Redirects for All Interfacesmedium
pass
Configure Kernel Parameter to Log Martian Packetslow
pass
Configure Kernel Parameter to Log Martian Packets By Defaultlow
pass
Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultmedium
pass
Configure Kernel Parameter for Accepting ICMP Redirects By Defaultmedium
pass
Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
pass
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsmedium
pass
Configure Kernel Parameter to Ignore Bogus ICMP Error Responseslow
pass
Configure Kernel Parameter to Use TCP Syncookiesmedium
pass
Configure Kernel Parameter to Use Reverse Path Filtering for All Interfacesmedium
pass
Configure Kernel Parameter to Use Reverse Path Filtering by Defaultmedium
pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaceslow
pass
Disable Bluetooth Servicemedium
pass
Disable Bluetooth Kernel Modulesmedium
pass
IPv6
Disable Support for IPv6 Unless Needed
Disable IPv6 Networking Support Automatic Loadingmedium
pass
Disable Support for RPC IPv6low
pass
Configure IPv6 Settings if Necessary
Disable Automatic Configuration
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesmedium
pass
Configure Accepting IPv6 Router Advertisementslow
pass
Configure Accepting IPv6 Router Advertisementslow
pass
Configure Accepting IPv6 Redirects By Defaultmedium
pass
Configure Accepting IPv6 Redirects By Defaultmedium
pass
Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Defaultmedium
pass
Disable Kernel Parameter for IPv6 Forwardingmedium
pass
Use Privacy Extensions for Addresslow
pass
firewalld 1x fail
Inspect and Activate Default firewalld Rules
Verify firewalld Enabledmedium
pass
Strengthen the Default Ruleset 1x fail
Set Default firewalld Zone for Incoming Packetsmedium
fail
Uncommon Network Protocols
Disable DCCP Supportmedium
pass
Disable SCTP Supportmedium
pass
IPSec Support 1x notchecked
Verify Any Configured IPSec Tunnel Connectionsmedium
notchecked
Ensure System is Not Acting as a Network Sniffermedium
pass
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure cron Is Logging To Rsyslogmedium
pass
Rsyslog Logs Sent To Remote Host
Ensure Logs Sent To Remote Hostlow
pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverlow
pass
System Accounting with auditd 1x fail
Configure auditd Data Retention
Configure auditd Number of Logs Retainedmedium
pass
Configure auditd Max Log File Sizemedium
pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
pass
Configure auditd admin_space_left Action on Low Disk Spacemedium
pass
Configure auditd mail_acct Action on Low Disk Spacemedium
pass
Configure auditd flush prioritylow
pass
Configure auditd to use audispd's syslog pluginmedium
pass
Configure auditd Rules for Comprehensive Auditing 1x fail
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimexlow
pass
Record attempts to alter time through settimeofdaylow
pass
Record Attempts to Alter Time Through stimelow
pass
Record Attempts to Alter Time Through clock_settimelow
pass
Record Attempts to Alter the localtime Filelow
pass
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodlow
pass
Record Events that Modify the System's Discretionary Access Controls - chownlow
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodlow
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodatlow
pass
Record Events that Modify the System's Discretionary Access Controls - fchownlow
pass
Record Events that Modify the System's Discretionary Access Controls - fchownatlow
pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattrlow
pass
Record Events that Modify the System's Discretionary Access Controls - lchownlow
pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattrlow
pass
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - setxattrlow
pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unauthorized Access Attempts to Files (unsuccessful) - creatmedium
pass
Record Unauthorized Access Attempts to Files (unsuccessful) - openmedium
pass
Record Unauthorized Access Attempts to Files (unsuccessful) - openatmedium
pass
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atmedium
pass
Record Unauthorized Access Attempts to Files (unsuccessful) - truncatemedium
pass
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncatemedium
pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run semanagemedium
pass
Record Any Attempts to Run setseboolmedium
pass
Record Any Attempts to Run chconmedium
pass
Record Any Attempts to Run restoreconmedium
pass
Record Information on the Use of Privileged Commands 1x fail
Ensure auditd Collects Information on the Use of Privileged Commandsmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by Usermedium
pass
Ensure auditd Collects File Deletion Events by User - rmdirmedium
pass
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
pass
Ensure auditd Collects File Deletion Events by User - renamemedium
pass
Ensure auditd Collects File Deletion Events by User - renameatmedium
pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading - insmodmedium
pass
Ensure auditd Collects Information on Kernel Module Unloading - rmmodmedium
pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobemedium
pass
Shutdown System When Auditing Failures Occurmedium
pass
Record Events that Modify User/Group Information - /etc/groupmedium
pass
Record Events that Modify User/Group Information - /etc/gshadowmedium
pass
Record Events that Modify User/Group Information - /etc/shadowmedium
pass
Record Events that Modify User/Group Information - /etc/passwdmedium
pass
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
pass
Record Events that Modify the System's Network Environmentlow
pass
System Audit Logs Must Have Mode 0640 or Less Permissivemedium
pass
System Audit Logs Must Be Owned By Rootmedium
pass
Record Events that Modify the System's Mandatory Access Controlslow
pass
Record Attempts to Alter Process and Session Initiation Informationlow
pass
Ensure auditd Collects Information on Exporting to Media (successful)medium
pass
Ensure auditd Collects System Administrator Actionslow
pass
Make the auditd Configuration Immutablemedium
pass
Enable auditd Servicehigh
pass
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
pass
Services 1x fail
Obsolete Services
Xinetd
Disable xinetd Servicemedium
pass
Uninstall xinetd Packagelow
pass
Telnet
Disable telnet Servicehigh
pass
Uninstall telnet-server Packagehigh
pass
Remove telnet Clientslow
pass
Rlogin, Rsh, and Rexec
Uninstall rsh-server Packagehigh
pass
Disable rexec Servicehigh
pass
Disable rsh Servicehigh
pass
Uninstall rsh Packagelow
pass
Disable rlogin Servicehigh
pass
Remove Rsh Trust Fileshigh
pass
NIS
Uninstall ypserv Packagehigh
pass
Disable ypbind Servicemedium
pass
Remove NIS Clientlow
pass
Chat/Messaging Services
Uninstall talk-server Packagemedium
pass
Uninstall talk Packagelow
pass
Base Services
Disable KDump Kernel Crash Analyzer (kdump)medium
pass
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Verify User Who Owns /etc/cron.allow filemedium
pass
Verify Group Who Owns /etc/cron.allow filemedium
pass
Enable cron Servicemedium
pass
SSH Server 1x fail
Configure OpenSSH Server if Necessary 1x fail
Enable SSH Server firewalld Firewall exceptionlow
fail
Allow Only SSH Protocol 2high
pass
Disable GSSAPI Authenticationmedium
pass
Disable Kerberos Authenticationmedium
pass
Enable Use of Strict Mode Checkingmedium
pass
Enable Use of Privilege Separationmedium
pass
Disable Compression Or Set Compression to delayedmedium
pass
Set SSH Idle Timeout Intervallow
pass
Set SSH Client Alive Countmedium
pass
Disable SSH Support for .rhosts Filesmedium
pass
Disable SSH Support for User Known Hostsmedium
pass
Disable SSH Support for Rhosts RSA Authenticationmedium
pass
Disable Host-Based Authenticationmedium
pass
Enable Encrypted X11 Forwardinghigh
pass
Disable SSH Access via Empty Passwordshigh
pass
Enable SSH Warning Bannermedium
pass
Do Not Allow SSH Environment Optionsmedium
pass
Use Only FIPS 140-2 Validated Ciphersmedium
pass
Use Only FIPS 140-2 Validated MACsmedium
pass
Enable the OpenSSH Servicemedium
pass
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
Verify Permissions on SSH Server Private *_key Key Filesmedium
pass
System Security Services Daemon
Configure SSSD's Memory Cache to Expiremedium
pass
Configure SSSD to Expire Offline Credentialsmedium
pass
Configure SSSD to Expire SSH Known Hostsmedium
pass
Network Time Protocol
Enable the NTP Daemonmedium
pass
Specify a Remote NTP Servermedium
pass
Specify Additional Remote NTP Serverslow
pass
LDAP
Configure OpenLDAP Clients
Configure LDAP Client to Use TLS For All Transactionsmedium
pass
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with nodevmedium
pass
Mount Remote Filesystems with nosuidmedium
pass
Mount Remote Filesystems with Kerberos Securitymedium
pass
Configure NFS Servers
Use Kerberos Security on All Exportsmedium
pass
Network Routing
Disable Quagga if Possible
Disable Quagga Servicemedium
pass

Result Details

Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-27128-8

Encrypt Partitions

Rule IDxccdf_org.ssgproject.content_rule_encrypt_partitions
Result
notchecked
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-27128-8

References:  SC-13, SC-28(1), CCI-001199, CCI-002476, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, 3.13.16

Description

Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: 

part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html

Rationale

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Evaluation messages
info  
No candidate or applicable check found.
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-26957-1

Ensure Red Hat GPG Key Installed

Rule IDxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result
pass
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-26957-1

References:  CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 1.2.3, 5.10.4.1, 3.4.8

Description

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: 

$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: 
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

Rationale

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL details

Red Hat release key package is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)45700c692fa658e00:2fa658e0-45700c690gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)

Red Hat auxiliary key package is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)45700c692fa658e00:2fa658e0-45700c690gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)

CentOS7 key package is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)45700c692fa658e00:2fa658e0-45700c690gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)

CentOS6 key package is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
gpg-pubkey(none)(none)45700c692fa658e00:2fa658e0-45700c690gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey(none)(none)4ae0493bfd431d510:fd431d51-4ae0493b0gpg-pubkey-0:fd431d51-4ae0493b.(none)
Ensure gpgcheck Enabled In Main Yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-26989-4

Ensure gpgcheck Enabled In Main Yum Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
pass
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-26989-4

References:  RHEL-07-020050, SV-86601r1_rule, CM-5(3), SI-7, MA-1(b), CCI-001749, SRG-OS-000366-GPOS-00153, Req-6.2, 1.2.2, 5.10.4.1, 3.4.8

Description

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: 

gpgcheck=1

Rationale

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL details

check value of gpgcheck in /etc/dnf/dnf.conf  passed because these items were not found:

Object oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/dnf/dnf.conf^\s*gpgcheck\s*=\s*1\s*$1

check value of gpgcheck in /etc/yum.conf  passed because of these items:

PathContent
/etc/yum.confgpgcheck=1
Ensure gpgcheck Enabled For All Yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-26876-3

Ensure gpgcheck Enabled For All Yum Package Repositories

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result
pass
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-26876-3

References:  CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 5.10.4.1, 3.4.8

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files  passed because these items were not found:

Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/yum.repos.d.*^\s*gpgcheck\s*=\s*0\s*$1
Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-26895-3

Ensure Software Patches Installed

Rule IDxccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result
notchecked
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-26895-3

References:  RHEL-07-020260, SV-86623r3_rule, SI-2, SI-2(c), MA-1(b), CCI-000366, Req-6.2, 1.8, SRG-OS-000480-GPOS-00227, 5.10.4.1

Description

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.

Rationale

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

Evaluation messages
info  
None of the check-content-ref elements was resolvable.
Ensure YUM Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-80346-0

Ensure YUM Removes Previous Package Versions

Rule IDxccdf_org.ssgproject.content_rule_clean_components_post_updating
Result
pass
Time2018-04-30T11:14:14
Severitylow
Identifiers and References

Identifiers:  CCE-80346-0

References:  RHEL-07-020200, SV-86611r1_rule, SI-2(6), CCI-002617, SRG-OS-000437-GPOS-00194, 3.4.8

Description

Yum should be configured to remove previous software components after previous versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf.

Rationale

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

OVAL details

check value of clean_requirements_on_remove in /etc/yum.conf  passed because of these items:

PathContent
/etc/yum.confclean_requirements_on_remove=1
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80347-8

Ensure gpgcheck Enabled for Local Packages

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result
pass
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-80347-8

References:  RHEL-07-020060, SV-86603r1_rule, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153, 3.4.8

Description

Yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Rationale

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

OVAL details

check value of localpkg_gpgcheck in /etc/yum.conf  passed because of these items:

PathContent
/etc/yum.conflocalpkg_gpgcheck=1
Ensure gpgcheck Enabled for Repository Metadataxccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata highCCE-80348-6

Ensure gpgcheck Enabled for Repository Metadata

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata
Result
fail
Time2018-04-30T11:14:14
Severityhigh
Identifiers and References

Identifiers:  CCE-80348-6

References:  RHEL-07-020070, SV-86605r1_rule, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153

Description

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.

Rationale

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again.

NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.

Warnings
warning  Automated remediation for this configuration check is temporarily disabled. Enabling gpgcheck for repository metadata will disable installation of software from repositories that do not sign the metadata. Official Red Hat Enterprise Linux repositories do not provide a repository metadata signature. As a consequence, setting repo_gpgcheck to 1 on a typical system prevents yum from installation of software packages, including security updates and packages required by this guide. This issue of Red Hat Enterprise Linux repositories was reported in https://bugzilla.redhat.com/show_bug.cgi?id=1410638.
OVAL details

check value of repo_gpgcheck in /etc/yum.conf  failed because these items were missing:

Object oval:ssg-object_yum_ensure_gpgcheck_repo_metadata:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/yum.conf^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$1
Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-27096-7

Install AIDE

Rule IDxccdf_org.ssgproject.content_rule_package_aide_installed
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-27096-7

References:  CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 1.3.1, 5.10.1.3

Description

Install the AIDE package with the command: 

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

OVAL details

package aide is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)13.el70.15.10:0.15.1-13.el7199e2f91fd431d51aide-0:0.15.1-13.el7.x86_64
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-27220-3

Build and Test AIDE Database

Rule IDxccdf_org.ssgproject.content_rule_aide_build_database
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-27220-3

References:  CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3

Description

Run the following command to generate a new database: 

$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: 
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command: 
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

OVAL details

Testing existence of new aide database file  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/lib/aide/aide.db.new.gzregular001569163rw------- 

Testing existence of operational aide database file  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/lib/aide/aide.db.gzregular001569163rw------- 
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-26952-2

Configure Periodic Execution of AIDE

Rule IDxccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-26952-2

References:  RHEL-07-020030, SV-86597r1_rule, CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, CCI-001744, Req-11.5, 1.3.2, SRG-OS-000363-GPOS-00150, 5.10.1.3

Description

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 

05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

run aide daily with cron  passed because of these items:

PathContent
/etc/crontab0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
/etc/crontab05 4 * * * root /usr/sbin/aide --check

run aide daily with cron  passed because these items were not found:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.d^.*$^[0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$1

run aide daily with cron  passed because these items were not found:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^[0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*[\s]*(root|)/usr/sbin/aide[\s]*\-\-check.*$1

run aide daily with cron.(daily|weekly|monthly)  passed because these items were not found:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.(daily|weekly|monthly)^.*$^\s*/usr/sbin/aide[\s]*\-\-check.*$1
Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-80374-2

Configure Notification of Post-AIDE Scan Details

Rule IDxccdf_org.ssgproject.content_rule_aide_scan_notification
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-80374-2

References:  RHEL-07-020040, SV-86599r1_rule, CM-3(5), CCI-001744, SRG-OS-000363-GPOS-00150

Description

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: 

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.

Rationale

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

notify personnel when aide completes  passed because of these items:

PathContent
/etc/crontab0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

notify personnel when aide completes  passed because these items were not found:

Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1

notify personnel when aide completes in cron.(daily|weekly|monthly)  passed because these items were not found:

Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.(d|daily|weekly|monthly)^.*$^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$1
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls mediumCCE-80375-9

Configure AIDE to Verify Access Control Lists (ACLs)

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_acls
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-80375-9

References:  RHEL-07-021600, SV-86693r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Description

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: 

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

OVAL details

acl is set in /etc/aide.conf  passed because of these items:

PathContent
/etc/aide.confNORMAL = acl+xattrs+sha512
/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.confSTATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.confLOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.confCONTENT = ftype+acl+xattrs+sha512
/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes mediumCCE-80376-7

Configure AIDE to Verify Extended Attributes

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-80376-7

References:  RHEL-07-021610, SV-86695r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Description

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: 

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

OVAL details

xattrs is set in /etc/aide.conf  passed because of these items:

PathContent
/etc/aide.confNORMAL = acl+xattrs+sha512
/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.confSTATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.confLOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.confCONTENT = ftype+acl+xattrs+sha512
/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Configure AIDE to Use FIPS 140-2 for Validating Hashesxccdf_org.ssgproject.content_rule_aide_use_fips_hashes mediumCCE-80377-5

Configure AIDE to Use FIPS 140-2 for Validating Hashes

Rule IDxccdf_org.ssgproject.content_rule_aide_use_fips_hashes
Result
pass
Time2018-04-30T11:14:14
Severitymedium
Identifiers and References

Identifiers:  CCE-80377-5

References:  RHEL-07-021620, SV-86697r2_rule, SI-7(1), CCI-000366, SRG-OS-000480-GPOS-00227, 3.13.11

Description

By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: 

NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

OVAL details

Verify non-FIPS hashes are not configured in /etc/aide.conf  passed because these items were not found:

Object oval:ssg-object_aide_non_fips_hashes:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/aide.conf^[A-Z]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$0

Verify FIPS hashes are configured in /etc/aide.conf  passed because of these items:

PathContent
/etc/aide.confSTATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.confNORMAL = acl+xattrs+sha512
/etc/aide.confDIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.confLOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.confPERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.confALLXTRAHASHES = sha512
/etc/aide.confCONTENT = ftype+acl+xattrs+sha512
/etc/aide.confDATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-27209-6

Verify and Correct File Permissions with RPM

Rule IDxccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result
pass
Time2018-04-30T11:14:19
Severityhigh
Identifiers and References

Identifiers:  CCE-27209-6

References:  RHEL-07-010010, SV-86473r2_rule, AC-6, AU-9(1), AU-9(3), CM-6(d), CM-6(3), CCI-001494, CCI-001496, Req-11.5, 1.2.6, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.3, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 5.10.4.1, 3.3.8, 3.4.1

Description

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: 

$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: 
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --setperms PACKAGENAME

Rationale

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Warnings
warning  Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1275532.
OVAL details

mode of all files matches local rpm database  passed because these items were not found:

Object oval:ssg-object_files_fail_mode:obj:1 of type rpmverifyfile_object
BehaviorsNameEpochVersionReleaseArchFilepathFilter
no value.*.*.*.*.*.*oval:ssg-state_files_fail_mode:ste:1
Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-27157-7

Verify File Hashes with RPM

Rule IDxccdf_org.ssgproject.content_rule_rpm_verify_hashes
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-27157-7

References:  RHEL-07-010020, SV-86479r2_rule, CM-6(d), CM-6(3), SI-7(1), CCI-000663, Req-11.5, 1.2.6, SRG-OS-000480-GPOS-00227, 5.10.4.1, 3.3.8, 3.4.1

Description

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: 

$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: 
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command: 
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command: 
$ sudo rpm -Uvh PACKAGENAME

Rationale

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

OVAL details

verify file md5 hashes  passed because these items were not found:

Object oval:ssg-object_files_fail_md5_hash:obj:1 of type rpmverifyfile_object
BehaviorsNameEpochVersionReleaseArchFilepathFilter
no value.*.*.*.*.*^/(bin|sbin|lib|lib64|usr)/.+$oval:ssg-state_files_fail_md5_hash:ste:1
Install Intrusion Detection Softwarexccdf_org.ssgproject.content_rule_install_hids highCCE-26818-5

Install Intrusion Detection Software

Rule IDxccdf_org.ssgproject.content_rule_install_hids
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-26818-5

References:  SC-7, CCI-001263, Req-11.4

Description

The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.

Rationale

Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.

Warnings
warning  Note in DoD environments, supplemental intrusion detection tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence.
OVAL details

/selinux/enforce is 1  passed because of these items:

PathContent
/etc/selinux/configSELINUX=enforcing
Install Virus Scanning Softwarexccdf_org.ssgproject.content_rule_install_antivirus highCCE-27140-3

Install Virus Scanning Software

Rule IDxccdf_org.ssgproject.content_rule_install_antivirus
Result
fail
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-27140-3

References:  SC-28, SI-3, CCI-001239, CCI-001668

Description

Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail.

Rationale

Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.

Install the dracut-fips Packagexccdf_org.ssgproject.content_rule_package_dracut-fips_installed mediumCCE-80358-5

Install the dracut-fips Package

Rule IDxccdf_org.ssgproject.content_rule_package_dracut-fips_installed
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80358-5

References:  AC-17(2), CCI-000068, CCI-002450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.11, 3.13.8

Description

To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command: 

$ sudo yum install dracut-fips

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

OVAL details

package dracut-fips is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
dracut-fipsx86_64(none)535.el70330:033-535.el7199e2f91fd431d51dracut-fips-0:033-535.el7.x86_64
Enable FIPS Mode in GRUB2xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode highCCE-80359-3

Enable FIPS Mode in GRUB2

Rule IDxccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-80359-3

References:  RHEL-07-021350, SV-86691r2_rule, AC-17(2), CCI-000068, CCI-002450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.8, 3.13.11

Description

To ensure FIPS mode is enabled, rebuild initramfs by running the following command: 

dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: 
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the 
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Warnings
warning  Running 
dracut -f
will overwrite the existing initramfs file.
warning  The system needs to be rebooted for these changes to take effect.
warning  The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.

See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors.
OVAL details

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  passed because of these items:

PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 nousb audit=1"

check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub  passed because these items were not found:

Object oval:ssg-object_grub2_default_exists:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$1

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  passed because these items were not found:

Object oval:ssg-object_grub2_enable_fips_mode_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1
State oval:ssg-state_grub2_enable_fips_mode:ste:1 of type textfilecontent54_state
Subexpression
^.*fips=1.*$

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  passed because of these items:

PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 nousb audit=1"
The Installed Operating System Is Vendor Supported and Certifiedxccdf_org.ssgproject.content_rule_installed_OS_is_certified highCCE-80349-4

The Installed Operating System Is Vendor Supported and Certified

Rule IDxccdf_org.ssgproject.content_rule_installed_OS_is_certified
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-80349-4

References:  RHEL-07-020250, SV-86621r2_rule, SI-2(c), CCI-000366, SRG-OS-000480-GPOS-00227

Description

The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards.

Rationale

An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications.

Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list mediumCCE-80106-8

Disable the GNOME3 Login User List

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80106-8

References:  AC-23

Description

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example: 

[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.

Rationale

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

OVAL details

GUI user list is disabled  passed because these items were not found:

Object oval:ssg-obj_disable_user_list:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$1

GUI user list cannot be enabled  passed because these items were not found:

Object oval:ssg-obj_prevent_user_disable_user_list:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/disable-user-list$1
Disable the GNOME3 Login Restart and Shutdown Buttonsxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown highCCE-80107-6

Disable the GNOME3 Login Restart and Shutdown Buttons

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-80107-6

References:  RHEL-07-TBD, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.2

Description

In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true.

To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example: 

[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.

Rationale

A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.

OVAL details

GUI restart and shutdown buttons are disabled  passed because these items were not found:

Object oval:ssg-obj_disable_restart_buttons:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$1

GUI restart and shutdown buttons cannot be enabled  passed because these items were not found:

Object oval:ssg-obj_prevent_user_enable_restart_buttons:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/disable-restart-buttons$1
Enable the GNOME3 Login Smartcard Authenticationxccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth mediumCCE-80108-4

Enable the GNOME3 Login Smartcard Authentication

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80108-4

References:  CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, CCI-001954, Req-8.3, SRG-OS-000375-GPOS-00160, RHEL-07-010061

Description

In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true.

To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example: 

[org/gnome/login-screen]
enable-smartcard-authentication=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/enable-smartcard-authentication
After the settings have been set, run dconf update.

Rationale

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

OVAL details

Enable GUI Login Smartcard authentication  passed because these items were not found:

Object oval:ssg-obj_enable_gnome_smartcard:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$1

GUI smartcard authentication cannot be disabled  passed because these items were not found:

Object oval:ssg-obj_prevent_user_disable_smartcard:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/enable-smartcard-authentication$1
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-80110-0

Set GNOME3 Screensaver Inactivity Timeout

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80110-0

References:  RHEL-07-010070, SV-86517r2_rule, AC-11(a), CCI-000057, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10

Description

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: 

[org/gnome/desktop/session]
idle-delay='uint32 900'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.

OVAL details

screensaver idle delay is configured  passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$1

user cannot change screensaver idle delay  passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_delay:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/session/idle-delay$1

screensaver idle delay setting is correct  passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^idle-delay[\s=]*uint32[\s]([^=\s]*)1
State oval:ssg-state_screensaver_idle_delay_setting:ste:1 of type textfilecontent54_state
Subexpression
900
Enable GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled mediumCCE-80111-8

Enable GNOME3 Screensaver Idle Activation

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80111-8

References:  RHEL-07-010100, SV-86523r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10

Description

To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/screensaver]
idle_activation_enabled=true
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

OVAL details

idle delay is configured  passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_activation_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$1

user cannot change idle_activation_enabled  passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/idle-activation-enabled$1
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-80112-6

Enable GNOME3 Screensaver Lock After Idle Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80112-6

References:  RHEL-07-010060, SV-86515r2_rule, AC-11(b), CCI-000056, Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011, 5.5.5, 3.1.10

Description

To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

OVAL details

screensaver lock is enabled  passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$1

screensaver lock cannot be changed by user  passed because these items were not found:

Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/lock-enabled$1
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-80370-0

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80370-0

References:  RHEL-07-010110, SV-86525r1_rule, AC-11(a), CCI-000056, Req-8.1.8, OS-SRG-000029-GPOS-00010, 3.1.10

Description

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 0 in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/screensaver]
lock-delay=uint32 0
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

OVAL details

screensaver lock is set correctly  passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$1

screensaver lock delay cannot be changed by user  passed because these items were not found:

Object oval:ssg-obj_prevent_user_lock_delay:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/lock-delay$1

screensaver lock delay setting is correct  passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^lock-delay[\s=]*uint32[\s]([^=\s]*)1
State oval:ssg-state_screensaver_lock_delay_setting:ste:1 of type textfilecontent54_state
Subexpression
Implement Blank Screensaverxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank lowCCE-80113-4

Implement Blank Screensaver

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80113-4

References:  AC-11(b), CCI-000060, Req-8.1.8, 5.5.5, 3.1.10

Description

To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.

Rationale

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

OVAL details

screensaver mode is blank  passed because these items were not found:

Object oval:ssg-obj_screensaver_mode_blank:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=string[\s]\'\'$1

blank screensaver cannot be changed by user  passed because these items were not found:

Object oval:ssg-obj_prevent_user_screensaver_mode_change:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/picture-uri$1
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-80371-8

Ensure Users Cannot Change GNOME3 Screensaver Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80371-8

References:  RHEL-07-010081, SV-87807r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

Description

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 

/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

OVAL details

screensaver lock delay cannot be changed by user  passed because these items were not found:

Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/lock-delay$1
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-80544-0

Ensure Users Cannot Change GNOME3 Session Idle Settings

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80544-0

References:  RHEL-07-010082, SV-87809r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

Description

If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 

/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

OVAL details

user cannot change screensaver idle delay  passed because these items were not found:

Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/session/idle-delay$1
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot highCCE-80124-1

Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-80124-1

References:  RHEL-07-TBD, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.2

Description

By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to string '' in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/settings-daemon/plugins/media-keys]
logout=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.

Rationale

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

OVAL details

Disable Ctrl-Alt-Del  passed because these items were not found:

Object oval:ssg-obj_disable_gnome_ctrlaltdel:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout=string[\s]''$1

Prevent enabling of ctrl-alt-del keys  passed because these items were not found:

Object oval:ssg-obj_prevent_user_enable_ctrlaltdel:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/settings-daemon/plugins/media-keys/logout$1
Disable User Administration in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin highCCE-80115-9

Disable User Administration in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin
Result
pass
Time2018-04-30T11:14:48
Severityhigh
Identifiers and References

Identifiers:  CCE-80115-9

References:  3.1.5

Description

By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/lockdown]
user-administration-disabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/lockdown/user-administration-disabled
After the settings have been set, run dconf update.

Rationale

Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc.

OVAL details

Disable user administration  passed because these items were not found:

Object oval:ssg-obj_disable_gnome_user_admin:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/lockdown]([^\n]*\n+)+?user-administration-disabled=true$1

Prevent enabling of user administration  passed because these items were not found:

Object oval:ssg-obj_prevent_user_enable_admin:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/lockdown/user-administration-disabled$1
Disable Geolocation in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation mediumCCE-80117-5

Disable Geolocation in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80117-5

Description

GNOME allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the system to disable location tracking, add or set enabled to false in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/system/location]
enabled=false
To configure the clock to disable location tracking, add or set geolocation to false in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/clocks]
geolocation=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/system/location/enabled
/org/gnome/clocks/geolocation
After the settings have been set, run dconf update.

Rationale

Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems.

OVAL details

Disable system geolocation  passed because these items were not found:

Object oval:ssg-obj_disable_sys_geolocation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$1

Prevent enabling of system geolocation  passed because these items were not found:

Object oval:ssg-obj_prevent_user_sys_geolocation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/system/location/enabled$1

Disable clock geolocation  passed because these items were not found:

Object oval:ssg-obj_disable_clock_geolocation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$1

Prevent enabling of clock geolocation  passed because these items were not found:

Object oval:ssg-obj_prevent_user_clock_geolocation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/clocks/geolocation$1
Disable WIFI Network Connection Creation in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create mediumCCE-80118-3

Disable WIFI Network Connection Creation in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80118-3

References:  3.1.16

Description

GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/nm-applet]
disable-wifi-create=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/nm-applet/disable-wifi-create
After the settings have been set, run dconf update.

Rationale

Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks.

OVAL details

Disable wifi creation  passed because these items were not found:

Object oval:ssg-obj_disable_wifi_creation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$1

Prevent enabling of wifi creation capability  passed because these items were not found:

Object oval:ssg-obj_prevent_user_enable_wifi_creation:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/nm-applet/disable-wifi-create$1
Disable WIFI Network Notification in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification mediumCCE-80119-1

Disable WIFI Network Notification in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80119-1

References:  3.1.16

Description

By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/nm-applet]
suppress-wireless-networks-available=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/nm-applet/suppress-wireless-networks-available
After the settings have been set, run dconf update.

Rationale

Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks.

OVAL details

Disable wifi notification  passed because these items were not found:

Object oval:ssg-obj_disable_wifi_notification:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$1

Prevent enabling of wifi notification capability  passed because these items were not found:

Object oval:ssg-obj_prevent_user_enable_wifi_notification:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/nm-applet/suppress-wireless-networks-available$1
Require Credential Prompting for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt mediumCCE-80120-9

Require Credential Prompting for Remote Access in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80120-9

References:  3.1.12

Description

By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.

Rationale

Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely.

OVAL details

configure remote access credentials  passed because these items were not found:

Object oval:ssg-obj_configure_remote_access_creds:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$1

prevent user from disabling remote access credential requirements  passed because these items were not found:

Object oval:ssg-obj_prevent_user_remote_access_creds:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/Vino/authentication-methods$1
Require Encryption for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption mediumCCE-80121-7

Require Encryption for Remote Access in GNOME3

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-80121-7

References:  RHEL-07-TBD, CM-2(1)(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13

Description

By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.

Rationale

Open X displays allow an attacker to capture keystrokes and to execute commands remotely.

OVAL details

configure remote access encryption  passed because these items were not found:

Object oval:ssg-obj_configure_remote_access_encryption:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$1

prevent user from disabling remote access encryption  passed because these items were not found:

Object oval:ssg-obj_prevent_user_remote_access_encryption:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/Vino/require-encryption$1
Disable GNOME3 Automountingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount lowCCE-80122-5

Disable GNOME3 Automounting

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80122-5

References:  AC-19(a), AC-19(d), AC-19(e), 3.1.7

Description

The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, add or set automount to false, automount-open to false, and autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.

Rationale

Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

OVAL details

Disable automount in GNOME3  passed because these items were not found:

Object oval:ssg-obj_dconf_gnome_disable_automount:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$1

Disable automount-open in GNOME  passed because these items were not found:

Object oval:ssg-obj_dconf_gnome_disable_automount_open:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$1

Disable autorun in GNOME  passed because these items were not found:

Object oval:ssg-obj_dconf_gnome_disable_autorun:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$1

Prevent user from changing automount setting  passed because these items were not found:

Object oval:ssg-obj_prevent_user_gnome_automount:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/automount$1

Prevent user from changing automount-open setting  passed because these items were not found:

Object oval:ssg-obj_prevent_user_gnome_automount_open:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/automount-open$1

Prevent user from changing autorun setting  passed because these items were not found:

Object oval:ssg-obj_prevent_user_gnome_autorun:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/autorun-never$1
Disable All GNOME3 Thumbnailersxccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers lowCCE-80123-3

Disable All GNOME3 Thumbnailers

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80123-3

References:  CM-7

Description

The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example: 

[org/gnome/desktop/thumbnailers]
disable-all=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/thumbnailers/disable-all
After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators.

Rationale

An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.

OVAL details

Disable thumbnailers in GNOME3  passed because these items were not found:

Object oval:ssg-obj_gnome_disable_thumbnailers:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$1

user cannot enable thumbnailers   passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_gnome_thumbnailers:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/thumbnailers/disable-all$1
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions lowCCE-80146-4

Add nodev Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80146-4

References:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.18

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

OVAL details

'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1
State oval:ssg-state_nodev_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?nodev,?.*$

'nodev' mount option used for at least one CD / DVD drive alternative names in runtime configuration  passed because these items were not found:

Object oval:ssg-object_nodev_runtime_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_nodev_runtime_cd_dvd_drive:ste:1

Check if removable partition is configured with 'nodev' mount option in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
State oval:ssg-state_nodev_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?nodev,?.*

'nodev' mount option used for removable partition in runtime configuration  passed because these items were not found:

Object oval:ssg-object_nodev_runtime_not_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_nodev_runtime_not_cd_dvd_drive:ste:1
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions lowCCE-80147-2

Add noexec Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80147-2

References:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, CCI-000087, 1.1.20

Description

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

OVAL details

'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1
State oval:ssg-state_noexec_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?noexec,?.*$

'noexec' mount option used for at least one CD / DVD drive alternative names in runtime configuration  passed because these items were not found:

Object oval:ssg-object_noexec_runtime_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_noexec_runtime_cd_dvd_drive:ste:1

Check if removable partition is configured with 'noexec' mount option in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
State oval:ssg-state_noexec_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?noexec,?.*

'noexec' mount option used for removable partition in runtime configuration  passed because these items were not found:

Object oval:ssg-object_noexec_runtime_not_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_noexec_runtime_not_cd_dvd_drive:ste:1
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions lowCCE-80148-0

Add nosuid Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-80148-0

References:  RHEL-07-021010, SV-86667r1_rule, AC-6, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.19, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

OVAL details

'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/dev/dvd
/dev/scd0
/dev/sr0
/etc/fstab1
State oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?nosuid,?.*$

'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration  passed because these items were not found:

Object oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_nosuid_runtime_cd_dvd_drive:ste:1

Check if removable partition is configured with 'nosuid' mount option in /etc/fstab  passed because these items were not found:

Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$
/dev/cdrom
/etc/fstab1
State oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
Subexpression
^.*,?nosuid,?.*

'nosuid' mount option used for removable partition in runtime configuration  passed because these items were not found:

Object oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1 of type partition_object
Mount pointFilter
^.*$oval:ssg-state_nosuid_runtime_not_cd_dvd_drive:ste:1
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-27277-3

Disable Modprobe Loading of USB Storage Driver

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result
pass
Time2018-04-30T11:14:48
Severitymedium
Identifiers and References

Identifiers:  CCE-27277-3

References:  RHEL-07-020100, SV-86607r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-0016, SRG-OS-000480-GPOS-00227, 3.1.21

Description

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale

USB storage devices such as thumb drives can be used to introduce malicious software.

OVAL details

kernel module usb-storage disabled  passed because of these items:

PathContent
/etc/modprobe.d/usb-storage.confinstall usb-storage /bin/true

kernel module usb-storage disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1

kernel module usb-storage disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1

kernel module usb-storage disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1

kernel module usb-storage disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1
Disable Kernel Support for USB via Bootloader Configurationxccdf_org.ssgproject.content_rule_bootloader_nousb_argument lowCCE-26548-8

Disable Kernel Support for USB via Bootloader Configuration

Rule IDxccdf_org.ssgproject.content_rule_bootloader_nousb_argument
Result
pass
Time2018-04-30T11:14:48
Severitylow
Identifiers and References

Identifiers:  CCE-26548-8

References:  AC-19(a), AC-19(d), AC-19(e), CCI-001250

Description

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown: 

kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
WARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.

Rationale

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

OVAL details

Check for 'nousb' argument in /etc/default/grub  passed because of these items:

PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 nousb audit=1"
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-27498-5

Disable the Automounter

Rule IDxccdf_org.ssgproject.content_rule_service_autofs_disabled
Result
pass
Time2018-04-30T11:14:49
Severitymedium
Identifiers and References

Identifiers:  CCE-27498-5

References:  RHEL-07-020110, SV-86609r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 3.4.6, 1.1.22

Description

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command: 

$ sudo systemctl disable autofs.service

Rationale

Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the autofs service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
UnitProperty
autofs\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_autofs:ste:1 of type systemdunitproperty_state
Value
inactive
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-80137-3

Disable Mounting of cramfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80137-3

References:  CM-7, 1.1.1.1, 3.4.6

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module cramfs disabled  passed because of these items:

PathContent
/etc/modprobe.d/cramfs.confinstall cramfs /bin/true

kernel module cramfs disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1

kernel module cramfs disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1

kernel module cramfs disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1

kernel module cramfs disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1
Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-80138-1

Disable Mounting of freevxfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80138-1

References:  CM-7, 1.1.1.2, 3.4.6

Description

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module freevxfs disabled  passed because of these items:

PathContent
/etc/modprobe.d/freevxfs.confinstall freevxfs /bin/true

kernel module freevxfs disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1

kernel module freevxfs disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_freevxfs_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1

kernel module freevxfs disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_freevxfs_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1

kernel module freevxfs disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_freevxfs_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1
Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-80139-9

Disable Mounting of jffs2

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80139-9

References:  CM-7, 1.1.1.3, 3.4.6

Description

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module jffs2 disabled  passed because of these items:

PathContent
/etc/modprobe.d/jffs2.confinstall jffs2 /bin/true

kernel module jffs2 disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1

kernel module jffs2 disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_jffs2_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1

kernel module jffs2 disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_jffs2_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1

kernel module jffs2 disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_jffs2_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1
Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-80140-7

Disable Mounting of hfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80140-7

References:  CM-7, 1.1.1.4, 3.4.6

Description

To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module hfs disabled  passed because of these items:

PathContent
/etc/modprobe.d/hfs.confinstall hfs /bin/true

kernel module hfs disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+hfs\s+(/bin/false|/bin/true)$1

kernel module hfs disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfs_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+hfs\s+(/bin/false|/bin/true)$1

kernel module hfs disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfs_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+hfs\s+(/bin/false|/bin/true)$1

kernel module hfs disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfs_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+hfs\s+(/bin/false|/bin/true)$1
Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-80141-5

Disable Mounting of hfsplus

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80141-5

References:  CM-7, 1.1.1.5, 3.4.6

Description

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module hfsplus disabled  passed because of these items:

PathContent
/etc/modprobe.d/hfsplus.confinstall hfsplus /bin/true

kernel module hfsplus disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1

kernel module hfsplus disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfsplus_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1

kernel module hfsplus disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfsplus_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1

kernel module hfsplus disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_hfsplus_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-80142-3

Disable Mounting of squashfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
Result
pass
Time2018-04-30T11:14:49
Severitylow
Identifiers and References

Identifiers:  CCE-80142-3

References:  CM-7, 1.1.1.6, 3.4.6

Description

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

kernel module squashfs disabled  passed because of these items:

PathContent
/etc/modprobe.d/squashfs.confinstall squashfs /bin/true

kernel module squashfs disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1

kernel module squashfs disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_squashfs_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1

kernel module squashfs disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_squashfs_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1

kernel module squashfs disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_squashfs_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-80134-0

Ensure All Files Are Owned by a User

Rule IDxccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result
pass
Time2018-04-30T11:15:08
Severitymedium
Identifiers and References

Identifiers:  CCE-80134-0

References:  RHEL-07-020320, SV-86631r1_rule, AC-3(4), AC-6, CM-6(b), CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.11

Description

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

OVAL details

Check user ids on all files on the system  passed because these items were not found:

Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-file_permissions_unowned_userid_list_match:ste:1
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-80135-7

Ensure All Files Are Owned by a Group

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result
pass
Time2018-04-30T11:15:28
Severitymedium
Identifiers and References

Identifiers:  CCE-80135-7

References:  RHEL-07-020330, SV-86633r1_rule, AC-3(4), AC-6, IA-2, CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.12

Description

If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

OVAL details

files with no group owner  passed because these items were not found:

Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-state_file_permissions_ungroupowned:ste:1
Ensure All World-Writable Directories Are Owned by a System Accountxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned lowCCE-80136-5

Ensure All World-Writable Directories Are Owned by a System Account

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned
Result
pass
Time2018-04-30T11:15:32
Severitylow
Identifiers and References

Identifiers:  CCE-80136-5

References:  RHEL-07-021030, SV-86671r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

OVAL details

check for local directories that are world writable and have uid greater than or equal to 1000  passed because these items were not found:

Object oval:ssg-all_local_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_gid_is_user_and_world_writable:ste:1
State oval:ssg-state_gid_is_user_and_world_writable:ste:1 of type file_state
User idOwrite
1000true
Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable lowCCE-26900-1

Disable Core Dumps for SUID programs

Rule IDxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result
pass
Time2018-04-30T11:15:32
Severitylow
Identifiers and References

Identifiers:  CCE-26900-1

References:  SI-11, 1.5.1

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: 

$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Enable ExecShieldxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-27211-2

Enable ExecShield

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
Result
pass
Time2018-04-30T11:15:32
Severitymedium
Identifiers and References

Identifiers:  CCE-27211-2

References:  SC-39, CCI-002530, 3.1.7, 1.5.2

Description

By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield.

Rationale

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

OVAL details

kernel runtime parameter kernel.exec-shield set to 1  passed because these items were not found:

Object oval:ssg-object_sysctl_kernel_exec_shield:obj:1 of type sysctl_object
Name
kernel.exec-shield
State oval:ssg-state_sysctl_kernel_exec_shield:ste:1 of type sysctl_state
Value
1

kernel.exec-shield static configuration  passed because these items were not found:

Object oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$1

kernel runtime parameter kernel.exec-shield set to 1  passed because these items were not found:

Object oval:ssg-object_sysctl_kernel_exec_shield:obj:1 of type sysctl_object
Name
kernel.exec-shield
State oval:ssg-state_sysctl_kernel_exec_shield:ste:1 of type sysctl_state
Value
1

kernel.exec-shield static configuration  passed because these items were not found:

Object oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$1

NX is disabled  passed because these items were not found:

Object oval:ssg-object_nx_disabled_grub:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/grub2/grub.cfg[\s]*noexec[\s]*=[\s]*off1
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-27127-0

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
pass
Time2018-04-30T11:15:32
Severitymedium
Identifiers and References

Identifiers:  CCE-27127-0

References:  SC-30(2), 1.5.1, 3.1.7, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040201

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 

$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Install PAE Kernel on Supported 32-bit x86 Systemsxccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 lowCCE-27116-3

Install PAE Kernel on Supported 32-bit x86 Systems

Rule IDxccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32
Result
pass
Time2018-04-30T11:15:32
Severitylow
Identifiers and References

Identifiers:  CCE-27116-3

References:  CM-6(b), 3.1.7

Description

Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support: 

$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary.

Rationale

On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.

Warnings
warning  The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as this may prevent them from booting.
OVAL details

CPUs support PAE kernel or NX bit  passed because of these items:

PathContent
/proc/cpuinfoflags : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx hypervisor lahf_lm fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt

Package kernel-PAE is installed  passed because these items were not found:

Object oval:ssg-obj_package_kernel-PAE_installed:obj:1 of type rpminfo_object
Name
kernel-PAE

check for DEFAULTKERNEL set to kernel-PAE in /etc/sysconfig/kernel  passed because these items were not found:

Object oval:ssg-object_defaultkernel_sysconfig_kernel:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysconfig/kernel^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$1
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-27050-4

Restrict Access to Kernel Message Buffer

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Result
pass
Time2018-04-30T11:15:32
Severitylow
Identifiers and References

Identifiers:  CCE-27050-4

References:  SI-11, CCI-001314, 3.1.5

Description

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 

$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
kernel.dmesg_restrict = 1

Rationale

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Disable the abrt_anon_write SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_abrt_anon_write mediumCCE-80419-5

Disable the abrt_anon_write SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_abrt_anon_write
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80419-5

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Description

By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the abrt_anon_write SELinux boolean, run the following command: 

$ sudo setsebool -P abrt_anon_write off

Rationale

OVAL details

abrt_anon_write is configured correctly  passed because of these items:

NameCurrent statusPending status
abrt_anon_writefalsefalse
Disable the abrt_handle_event SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_abrt_handle_event mediumCCE-80420-3

Disable the abrt_handle_event SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_abrt_handle_event
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80420-3

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Description

By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. To disable the abrt_handle_event SELinux boolean, run the following command: 

$ sudo setsebool -P abrt_handle_event off

Rationale

OVAL details

abrt_handle_event is configured correctly  passed because of these items:

NameCurrent statusPending status
abrt_handle_eventfalsefalse
Disable the abrt_upload_watch_anon_write SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write mediumCCE-80421-1

Disable the abrt_upload_watch_anon_write SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80421-1

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Description

By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command: 

$ sudo setsebool -P abrt_upload_watch_anon_write off

Rationale

OVAL details

abrt_upload_watch_anon_write is configured correctly  passed because of these items:

NameCurrent statusPending status
abrt_upload_watch_anon_writetruetrue
Enable the auditadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content mediumCCE-80424-5

Enable the auditadm_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80424-5

References:  RHEL-07-TBD, TBD, NaN, TBD, 80424-5

Description

By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P auditadm_exec_content on

Rationale

OVAL details

auditadm_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
auditadm_exec_contenttruetrue
Disable the cron_can_relabel SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_cron_can_relabel mediumCCE-RHEL7-CCE-TBD

Disable the cron_can_relabel SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_cron_can_relabel
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command: 

$ sudo setsebool -P cron_can_relabel off

Rationale

OVAL details

cron_can_relabel is configured correctly  passed because of these items:

NameCurrent statusPending status
cron_can_relabelfalsefalse
Disable the cron_system_cronjob_use_shares SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_cron_system_cronjob_use_shares mediumCCE-RHEL7-CCE-TBD

Disable the cron_system_cronjob_use_shares SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_cron_system_cronjob_use_shares
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command: 

$ sudo setsebool -P cron_system_cronjob_use_shares off

Rationale

OVAL details

cron_system_cronjob_use_shares is configured correctly  passed because of these items:

NameCurrent statusPending status
cron_system_cronjob_use_sharesfalsefalse
Enable the cron_userdomain_transition SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_cron_userdomain_transition mediumCCE-RHEL7-CCE-TBD

Enable the cron_userdomain_transition SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_cron_userdomain_transition
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command: 

$ sudo setsebool -P cron_userdomain_transition on

Rationale

OVAL details

cron_userdomain_transition is configured correctly  passed because of these items:

NameCurrent statusPending status
cron_userdomain_transitiontruetrue
Disable the daemons_dump_core SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_daemons_dump_core mediumCCE-RHEL7-CCE-TBD

Disable the daemons_dump_core SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_daemons_dump_core
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command: 

$ sudo setsebool -P daemons_dump_core off

Rationale

OVAL details

daemons_dump_core is configured correctly  passed because of these items:

NameCurrent statusPending status
daemons_dump_corefalsefalse
Disable the daemons_use_tcp_wrapper SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_daemons_use_tcp_wrapper mediumCCE-RHEL7-CCE-TBD

Disable the daemons_use_tcp_wrapper SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_daemons_use_tcp_wrapper
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command: 

$ sudo setsebool -P daemons_use_tcp_wrapper off

Rationale

OVAL details

daemons_use_tcp_wrapper is configured correctly  passed because of these items:

NameCurrent statusPending status
daemons_use_tcp_wrapperfalsefalse
Disable the daemons_use_tty SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_daemons_use_tty mediumCCE-RHEL7-CCE-TBD

Disable the daemons_use_tty SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_daemons_use_tty
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command: 

$ sudo setsebool -P daemons_use_tty off

Rationale

OVAL details

daemons_use_tty is configured correctly  passed because of these items:

NameCurrent statusPending status
daemons_use_ttyfalsefalse
Disable the deny_execmem SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_deny_execmem mediumCCE-RHEL7-CCE-TBD

Disable the deny_execmem SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_deny_execmem
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean deny_execmem is disabled. If this setting is enabled, it should be disabled. To disable the deny_execmem SELinux boolean, run the following command: 

$ sudo setsebool -P deny_execmem off

Rationale

OVAL details

deny_execmem is configured correctly  passed because of these items:

NameCurrent statusPending status
deny_execmemfalsefalse
Disable the deny_ptrace SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_deny_ptrace mediumCCE-RHEL7-CCE-TBD

Disable the deny_ptrace SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_deny_ptrace
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command: 

$ sudo setsebool -P deny_ptrace off

Rationale

OVAL details

deny_ptrace is configured correctly  passed because of these items:

NameCurrent statusPending status
deny_ptracefalsefalse
Enable the domain_fd_use SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_domain_fd_use mediumCCE-RHEL7-CCE-TBD

Enable the domain_fd_use SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_domain_fd_use
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command: 

$ sudo setsebool -P domain_fd_use on

Rationale

OVAL details

domain_fd_use is configured correctly  passed because of these items:

NameCurrent statusPending status
domain_fd_usetruetrue
Disable the domain_kernel_load_modules SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_domain_kernel_load_modules mediumCCE-RHEL7-CCE-TBD

Disable the domain_kernel_load_modules SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_domain_kernel_load_modules
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command: 

$ sudo setsebool -P domain_kernel_load_modules off

Rationale

OVAL details

domain_kernel_load_modules is configured correctly  passed because of these items:

NameCurrent statusPending status
domain_kernel_load_modulesfalsefalse
Enable the fips_mode SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_fips_mode mediumCCE-80418-7

Enable the fips_mode SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_fips_mode
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80418-7

References:  RHEL-07-TBD, SC-13, NaN, TBD, 3.13.11

Description

By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command: 

$ sudo setsebool -P fips_mode on

Rationale

OVAL details

fips_mode is configured correctly  passed because of these items:

NameCurrent statusPending status
fips_modetruetrue
Disable the gpg_web_anon_write SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_gpg_web_anon_write mediumCCE-RHEL7-CCE-TBD

Disable the gpg_web_anon_write SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_gpg_web_anon_write
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command: 

$ sudo setsebool -P gpg_web_anon_write off

Rationale

OVAL details

gpg_web_anon_write is configured correctly  passed because of these items:

NameCurrent statusPending status
gpg_web_anon_writefalsefalse
Disable the guest_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_guest_exec_content mediumCCE-RHEL7-CCE-TBD

Disable the guest_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_guest_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. To enable the guest_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P guest_exec_content on

Rationale

OVAL details

guest_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
guest_exec_contenttruetrue
Enable the kerberos_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_kerberos_enabled mediumCCE-RHEL7-CCE-TBD

Enable the kerberos_enabled SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_kerberos_enabled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command: 

$ sudo setsebool -P kerberos_enabled on

Rationale

OVAL details

kerberos_enabled is configured correctly  passed because of these items:

NameCurrent statusPending status
kerberos_enabledtruetrue
Enable the logadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_logadm_exec_content mediumCCE-RHEL7-CCE-TBD

Enable the logadm_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_logadm_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P logadm_exec_content on

Rationale

OVAL details

logadm_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
logadm_exec_contenttruetrue
Disable the logging_syslogd_can_sendmail SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail mediumCCE-RHEL7-CCE-TBD

Disable the logging_syslogd_can_sendmail SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command: 

$ sudo setsebool -P logging_syslogd_can_sendmail off

Rationale

OVAL details

logging_syslogd_can_sendmail is configured correctly  passed because of these items:

NameCurrent statusPending status
logging_syslogd_can_sendmailfalsefalse
Enable the logging_syslogd_use_tty SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty mediumCCE-RHEL7-CCE-TBD

Enable the logging_syslogd_use_tty SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command: 

$ sudo setsebool -P logging_syslogd_use_tty on

Rationale

OVAL details

logging_syslogd_use_tty is configured correctly  passed because of these items:

NameCurrent statusPending status
logging_syslogd_use_ttytruetrue
Disable the mmap_low_allowed SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_mmap_low_allowed mediumCCE-RHEL7-CCE-TBD

Disable the mmap_low_allowed SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_mmap_low_allowed
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command: 

$ sudo setsebool -P mmap_low_allowed off

Rationale

OVAL details

mmap_low_allowed is configured correctly  passed because of these items:

NameCurrent statusPending status
mmap_low_allowedfalsefalse
Disable the mock_enable_homedirs SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs mediumCCE-RHEL7-CCE-TBD

Disable the mock_enable_homedirs SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command: 

$ sudo setsebool -P mock_enable_homedirs off

Rationale

OVAL details

mock_enable_homedirs is configured correctly  passed because of these items:

NameCurrent statusPending status
mock_enable_homedirsfalsefalse
Enable the mount_anyfile SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_mount_anyfile mediumCCE-RHEL7-CCE-TBD

Enable the mount_anyfile SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_mount_anyfile
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command: 

$ sudo setsebool -P mount_anyfile on

Rationale

OVAL details

mount_anyfile is configured correctly  passed because of these items:

NameCurrent statusPending status
mount_anyfiletruetrue
Disable the polyinstantiation_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled mediumCCE-RHEL7-CCE-TBD

Disable the polyinstantiation_enabled SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean polyinstantiation_enabled is disabled. If this setting is enabled, it should be disabled. To disable the polyinstantiation_enabled SELinux boolean, run the following command: 

$ sudo setsebool -P polyinstantiation_enabled off

Rationale

OVAL details

polyinstantiation_enabled is configured correctly  passed because of these items:

NameCurrent statusPending status
polyinstantiation_enabledfalsefalse
Enable the secadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secadm_exec_content mediumCCE-RHEL7-CCE-TBD

Enable the secadm_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_secadm_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P secadm_exec_content on

Rationale

OVAL details

secadm_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
secadm_exec_contenttruetrue
Disable the secure_mode_insmod SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod mediumCCE-RHEL7-CCE-TBD

Disable the secure_mode_insmod SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean secure_mode_insmod is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_insmod SELinux boolean, run the following command: 

$ sudo setsebool -P secure_mode_insmod off

Rationale

OVAL details

secure_mode_insmod is configured correctly  passed because of these items:

NameCurrent statusPending status
secure_mode_insmodfalsefalse
Disable the secure_mode SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secure_mode mediumCCE-RHEL7-CCE-TBD

Disable the secure_mode SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_secure_mode
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command: 

$ sudo setsebool -P secure_mode off

Rationale

OVAL details

secure_mode is configured correctly  passed because of these items:

NameCurrent statusPending status
secure_modefalsefalse
Disable the secure_mode_policyload SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload mediumCCE-RHEL7-CCE-TBD

Disable the secure_mode_policyload SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command: 

$ sudo setsebool -P secure_mode_policyload off

Rationale

OVAL details

secure_mode_policyload is configured correctly  passed because of these items:

NameCurrent statusPending status
secure_mode_policyloadfalsefalse
Configure the selinuxuser_direct_dri_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled mediumCCE-RHEL7-CCE-TBD

Configure the selinuxuser_direct_dri_enabled SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_direct_dri_enabled off

Rationale

OVAL details

selinuxuser_direct_dri_enabled is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_direct_dri_enabledtruetrue
Disable the selinuxuser_execheap SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_execheap SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_execheap is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_execheap off

Rationale

OVAL details

selinuxuser_execheap is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_execheapfalsefalse
Enable the selinuxuser_execmod SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod mediumCCE-RHEL7-CCE-TBD

Enable the selinuxuser_execmod SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_execmod on

Rationale

OVAL details

selinuxuser_execmod is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_execmodtruetrue
disable the selinuxuser_execstack SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack mediumCCE-RHEL7-CCE-TBD

disable the selinuxuser_execstack SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_execstack off

Rationale

OVAL details

selinuxuser_execstack is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_execstacktruetrue
Disable the selinuxuser_mysql_connect_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_mysql_connect_enabled mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_mysql_connect_enabled SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_mysql_connect_enabled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_mysql_connect_enabled off

Rationale

OVAL details

selinuxuser_mysql_connect_enabled is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_mysql_connect_enabledfalsefalse
Enable the selinuxuser_ping SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping mediumCCE-RHEL7-CCE-TBD

Enable the selinuxuser_ping SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_ping on

Rationale

OVAL details

selinuxuser_ping is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_pingtruetrue
Disable the selinuxuser_postgresql_connect_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_postgresql_connect_enabled mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_postgresql_connect_enabled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_postgresql_connect_enabled off

Rationale

OVAL details

selinuxuser_postgresql_connect_enabled is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_postgresql_connect_enabledfalsefalse
Disable the selinuxuser_rw_noexattrfile SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_rw_noexattrfile mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_rw_noexattrfile SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_rw_noexattrfile
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_rw_noexattrfile off

Rationale

OVAL details

selinuxuser_rw_noexattrfile is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_rw_noexattrfiletruetrue
Disable the selinuxuser_share_music SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_share_music mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_share_music SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_share_music
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_share_music off

Rationale

OVAL details

selinuxuser_share_music is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_share_musicfalsefalse
Disable the selinuxuser_tcp_server SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_tcp_server mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_tcp_server SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_tcp_server
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_tcp_server off

Rationale

OVAL details

selinuxuser_tcp_server is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_tcp_serverfalsefalse
Disable the selinuxuser_udp_server SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_udp_server mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_udp_server SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_udp_server
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_udp_server off

Rationale

OVAL details

selinuxuser_udp_server is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_udp_serverfalsefalse
Disable the selinuxuser_use_ssh_chroot SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot mediumCCE-RHEL7-CCE-TBD

Disable the selinuxuser_use_ssh_chroot SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command: 

$ sudo setsebool -P selinuxuser_use_ssh_chroot off

Rationale

OVAL details

selinuxuser_use_ssh_chroot is configured correctly  passed because of these items:

NameCurrent statusPending status
selinuxuser_use_ssh_chrootfalsefalse
Disable the ssh_chroot_rw_homedirs SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_ssh_chroot_rw_homedirs mediumCCE-RHEL7-CCE-TBD

Disable the ssh_chroot_rw_homedirs SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_ssh_chroot_rw_homedirs
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command: 

$ sudo setsebool -P ssh_chroot_rw_homedirs off

Rationale

OVAL details

ssh_chroot_rw_homedirs is configured correctly  passed because of these items:

NameCurrent statusPending status
ssh_chroot_rw_homedirsfalsefalse
Disable the ssh_keysign SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_ssh_keysign mediumCCE-RHEL7-CCE-TBD

Disable the ssh_keysign SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_ssh_keysign
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command: 

$ sudo setsebool -P ssh_keysign off

Rationale

OVAL details

ssh_keysign is configured correctly  passed because of these items:

NameCurrent statusPending status
ssh_keysignfalsefalse
Enable the staff_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_staff_exec_content mediumCCE-RHEL7-CCE-TBD

Enable the staff_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_staff_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P staff_exec_content on

Rationale

OVAL details

staff_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
staff_exec_contenttruetrue
Enable the sysadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_sysadm_exec_content mediumCCE-RHEL7-CCE-TBD

Enable the sysadm_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_sysadm_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P sysadm_exec_content on

Rationale

OVAL details

sysadm_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
sysadm_exec_contenttruetrue
Disable the use_ecryptfs_home_dirs SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_use_ecryptfs_home_dirs mediumCCE-RHEL7-CCE-TBD

Disable the use_ecryptfs_home_dirs SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_use_ecryptfs_home_dirs
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command: 

$ sudo setsebool -P use_ecryptfs_home_dirs off

Rationale

OVAL details

use_ecryptfs_home_dirs is configured correctly  passed because of these items:

NameCurrent statusPending status
use_ecryptfs_home_dirsfalsefalse
Enable the user_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_user_exec_content mediumCCE-RHEL7-CCE-TBD

Enable the user_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_user_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P user_exec_content on

Rationale

OVAL details

user_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
user_exec_contenttruetrue
Disable the xdm_bind_vnc_tcp_port SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xdm_bind_vnc_tcp_port mediumCCE-RHEL7-CCE-TBD

Disable the xdm_bind_vnc_tcp_port SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xdm_bind_vnc_tcp_port
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command: 

$ sudo setsebool -P xdm_bind_vnc_tcp_port off

Rationale

OVAL details

xdm_bind_vnc_tcp_port is configured correctly  passed because of these items:

NameCurrent statusPending status
xdm_bind_vnc_tcp_portfalsefalse
Disable the xdm_exec_bootloader SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xdm_exec_bootloader mediumCCE-RHEL7-CCE-TBD

Disable the xdm_exec_bootloader SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xdm_exec_bootloader
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command: 

$ sudo setsebool -P xdm_exec_bootloader off

Rationale

OVAL details

xdm_exec_bootloader is configured correctly  passed because of these items:

NameCurrent statusPending status
xdm_exec_bootloaderfalsefalse
Disable the xdm_write_home SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xdm_write_home mediumCCE-RHEL7-CCE-TBD

Disable the xdm_write_home SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xdm_write_home
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command: 

$ sudo setsebool -P xdm_write_home off

Rationale

OVAL details

xdm_write_home is configured correctly  passed because of these items:

NameCurrent statusPending status
xdm_write_homefalsefalse
Disable the xguest_connect_network SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xguest_connect_network mediumCCE-RHEL7-CCE-TBD

Disable the xguest_connect_network SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xguest_connect_network
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. To disable the xguest_connect_network SELinux boolean, run the following command: 

$ sudo setsebool -P xguest_connect_network off

Rationale

OVAL details

xguest_connect_network is configured correctly  passed because of these items:

NameCurrent statusPending status
xguest_connect_networktruetrue
Disable the xguest_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xguest_exec_content mediumCCE-RHEL7-CCE-TBD

Disable the xguest_exec_content SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xguest_exec_content
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. To disable the xguest_exec_content SELinux boolean, run the following command: 

$ sudo setsebool -P xguest_exec_content off

Rationale

OVAL details

xguest_exec_content is configured correctly  passed because of these items:

NameCurrent statusPending status
xguest_exec_contenttruetrue
Disable the xguest_mount_media SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xguest_mount_media mediumCCE-RHEL7-CCE-TBD

Disable the xguest_mount_media SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xguest_mount_media
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the xguest_mount_media SELinux boolean, run the following command: 

$ sudo setsebool -P xguest_mount_media off

Rationale

OVAL details

xguest_mount_media is configured correctly  passed because of these items:

NameCurrent statusPending status
xguest_mount_mediatruetrue
Disable the xguest_use_bluetooth SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xguest_use_bluetooth mediumCCE-RHEL7-CCE-TBD

Disable the xguest_use_bluetooth SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xguest_use_bluetooth
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command: 

$ sudo setsebool -P xguest_use_bluetooth off

Rationale

OVAL details

xguest_use_bluetooth is configured correctly  passed because of these items:

NameCurrent statusPending status
xguest_use_bluetoothtruetrue
Disable the xserver_clients_write_xshm SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xserver_clients_write_xshm mediumCCE-RHEL7-CCE-TBD

Disable the xserver_clients_write_xshm SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xserver_clients_write_xshm
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command: 

$ sudo setsebool -P xserver_clients_write_xshm off

Rationale

OVAL details

xserver_clients_write_xshm is configured correctly  passed because of these items:

NameCurrent statusPending status
xserver_clients_write_xshmfalsefalse
Disable the xserver_execmem SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xserver_execmem mediumCCE-RHEL7-CCE-TBD

Disable the xserver_execmem SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xserver_execmem
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. To disable the xserver_execmem SELinux boolean, run the following command: 

$ sudo setsebool -P xserver_execmem off

Rationale

OVAL details

xserver_execmem is configured correctly  passed because of these items:

NameCurrent statusPending status
xserver_execmemfalsefalse
Disable the xserver_object_manager SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_xserver_object_manager mediumCCE-RHEL7-CCE-TBD

Disable the xserver_object_manager SELinux Boolean

Rule IDxccdf_org.ssgproject.content_rule_sebool_xserver_object_manager
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Description

By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command: 

$ sudo setsebool -P xserver_object_manager off

Rationale

OVAL details

xserver_object_manager is configured correctly  passed because of these items:

NameCurrent statusPending status
xserver_object_managerfalsefalse
Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_enable_selinux_bootloader mediumCCE-26961-3

Ensure SELinux Not Disabled in /etc/default/grub

Rule IDxccdf_org.ssgproject.content_rule_enable_selinux_bootloader
Result
pass
Time2018-04-30T11:15:32
Severitymedium
Identifiers and References

Identifiers:  CCE-26961-3

References:  AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-000022, CCI-000032, 1.6.1.1, 3.1.2, 3.7.2

Description

SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

OVAL details

check value selinux|enforcing=0 in /etc/default/grub, fail if found  passed because these items were not found:

Object oval:ssg-object_selinux_default_grub:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$1

check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found  passed because these items were not found:

Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/grub2.cfg^.*(selinux|enforcing)=0.*$1

check value selinux|enforcing=0 in /etc/grub.d fail if found  passed because these items were not found:

Object oval:ssg-object_selinux_grub_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/grub.d^.*$^.*(selinux|enforcing)=0.*$1
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-27334-2

Ensure SELinux State is Enforcing

Rule IDxccdf_org.ssgproject.content_rule_selinux_state
Result
pass
Time2018-04-30T11:15:32
Severityhigh
Identifiers and References

Identifiers:  CCE-27334-2

References:  RHEL-07-020210, SV-86613r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002165, CCI-002696, 1.6.1.2, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2

Description

The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: 

SELINUX=enforcing

Rationale

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

OVAL details

/selinux/enforce is 1  passed because of these items:

PathContent
/etc/selinux/configSELINUX=enforcing
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype highCCE-27279-9

Configure SELinux Policy

Rule IDxccdf_org.ssgproject.content_rule_selinux_policytype
Result
pass
Time2018-04-30T11:15:32
Severityhigh
Identifiers and References

Identifiers:  CCE-27279-9

References:  RHEL-07-020220, SV-86615r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002696, 1.6.1.3, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2

Description

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 

SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.

OVAL details

Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file  passed because of these items:

PathContent
/etc/selinux/configSELINUXTYPE=targeted
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-27288-0

Ensure No Daemons are Unconfined by SELinux

Rule IDxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27288-0

References:  AC-6, AU-9, CM-7, 1.6.1.6, 3.1.2, 3.1.5, 3.7.2

Description

Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command: 

$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.

Rationale

Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require.

OVAL details

device_t in /dev  passed because these items were not found:

Object oval:ssg-object_selinux_confinement_of_daemons:obj:1 of type selinuxsecuritycontext_object
BehaviorsPathFilenameFilter
no value/proc^.*$oval:ssg-state_selinux_confinement_of_daemons:ste:1
State oval:ssg-state_selinux_confinement_of_daemons:ste:1 of type selinuxsecuritycontext_state
Type
initrc_t
Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled mediumCCE-27326-8

Ensure No Device Files are Unlabeled by SELinux

Rule IDxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27326-8

References:  RHEL-07-020900, SV-86663r1_rule, AC-6, AU-9, CM-3(f), CM-7, CCI-000022, CCI-000032, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227, 3.1.2, 3.1.5, 3.7.2

Description

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for unlabeled device files, run the following command: 

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.

Rationale

If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file.

OVAL details

device_t in /dev  passed because these items were not found:

Object oval:ssg-object_selinux_all_devicefiles_labeled:obj:1 of type selinuxsecuritycontext_object
BehaviorsPathFilenameFilter
no value/dev^.*$oval:ssg-state_selinux_all_devicefiles_labeled:ste:1
State oval:ssg-state_selinux_all_devicefiles_labeled:ste:1 of type selinuxsecuritycontext_state
Type
device_t
Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-27294-8

Direct root Logins Not Allowed

Rule IDxccdf_org.ssgproject.content_rule_no_direct_root_logins
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27294-8

References:  IA-2(1), 5.5, 3.1.1, 3.1.6

Description

To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enteprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: 

$ sudo echo > /etc/securetty

Rationale

Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.

OVAL details

no entries in /etc/securetty  passed because of these items:

PathContent
/etc/securetty

/etc/securetty file exists  passed because of these items:

PathContent
/etc/securetty
Restrict Serial Port Root Loginsxccdf_org.ssgproject.content_rule_restrict_serial_port_logins lowCCE-27268-2

Restrict Serial Port Root Logins

Rule IDxccdf_org.ssgproject.content_rule_restrict_serial_port_logins
Result
pass
Time2018-04-30T11:15:33
Severitylow
Identifiers and References

Identifiers:  CCE-27268-2

References:  AC-6(2), CCI-000770, 3.1.1, 3.1.5

Description

To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 

ttyS0
ttyS1

Rationale

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

OVAL details

serial ports /etc/securetty  passed because these items were not found:

Object oval:ssg-object_serial_ports_etc_securetty:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/securetty^ttyS[0-9]+$1
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-27175-9

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Time2018-04-30T11:15:33
Severityhigh
Identifiers and References

Identifiers:  CCE-27175-9

References:  RHEL-07-020310, SV-86629r1_rule, AC-6, IA-2(1), IA-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.1, 3.1.5, 6.2.5

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL details

test that there are no accounts with UID 0 except root in the /etc/passwd file  passed because these items were not found:

Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Prevent Log In to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-27286-4

Prevent Log In to Accounts With Empty Password

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
Result
pass
Time2018-04-30T11:15:33
Severityhigh
Identifiers and References

Identifiers:  CCE-27286-4

References:  RHEL-07-010290, SV-86561r1_rule, AC-6, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000366, SRG-OS-000480-GPOS-00227, Req-8.2.3, 5.5.2, 3.1.1, 3.1.5

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

OVAL details

make sure nullok is not used in /etc/pam.d/system-auth  passed because these items were not found:

Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth\s*nullok\s*1
Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-27352-4

Verify All Account Password Hashes are Shadowed

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27352-4

References:  IA-5(h), Req-8.2.1, 5.5.2, 3.5.10

Description

If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

OVAL details

password hashes are shadowed  passed because of these items:

UsernamePasswordUser idGroup idGcosHome dirLogin shellLast login
rootx00root/root/bin/bash1524951308
binx11bin/bin/sbin/nologin0
daemonx22daemon/sbin/sbin/nologin0
admx34adm/var/adm/sbin/nologin0
lpx47lp/var/spool/lpd/sbin/nologin0
syncx50sync/sbin/bin/sync0
shutdownx60shutdown/sbin/sbin/shutdown0
polkitdx999998User for polkitd//sbin/nologin0
haltx70halt/sbin/sbin/halt0
mailx812mail/var/spool/mail/sbin/nologin0
operatorx110operator/root/sbin/nologin0
gamesx12100games/usr/games/sbin/nologin0
ftpx1450FTP User/var/ftp/sbin/nologin0
nobodyx9999Nobody//sbin/nologin0
systemd-networkx192192systemd Network Management//sbin/nologin0
dbusx8181System message bus//sbin/nologin0
postfixx8989/var/spool/postfix/sbin/nologin0
sshdx7474Privilege-separated SSH/var/empty/sshd/sbin/nologin0
chronyx998996/var/lib/chrony/sbin/nologin0
adminx10001000admin/home/admin/bin/bash-1
All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-27503-2

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule IDxccdf_org.ssgproject.content_rule_gid_passwd_group_same
Result
pass
Time2018-04-30T11:15:33
Severitylow
Identifiers and References

Identifiers:  CCE-27503-2

References:  RHEL-07-020300, SV-86627r1_rule, IA-2, CCI-000764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2

Description

Add a group to the system for each GID referenced without a corresponding group.

Rationale

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

OVAL details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group  passed because of these items:

PathContent
/etc/passwdroot:x:0:0:
/etc/passwdbin:x:1:1:
/etc/passwddaemon:x:2:2:
/etc/passwdadm:x:3:4:
/etc/passwdlp:x:4:7:
/etc/passwdsync:x:5:0:
/etc/passwdshutdown:x:6:0:
/etc/passwdhalt:x:7:0:
/etc/passwdmail:x:8:12:
/etc/passwdoperator:x:11:0:
/etc/passwdgames:x:12:100:
/etc/passwdftp:x:14:50:
/etc/passwdnobody:x:99:99:
/etc/passwdsystemd-network:x:192:192:
/etc/passwddbus:x:81:81:
/etc/passwdpolkitd:x:999:998:
/etc/passwdpostfix:x:89:89:
/etc/passwdsshd:x:74:74:
/etc/passwdchrony:x:998:996:
/etc/passwdadmin:x:1000:1000:
Set Password Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry lowCCE-27160-1

Set Password Retry Prompts Permitted Per-Session

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result
pass
Time2018-04-30T11:15:33
Severitylow
Identifiers and References

Identifiers:  CCE-27160-1

References:  RHEL-07-010119, SV-87811r2_rule, CM-6(b), IA-5(c), CCI-000366, 6.3.2, SRG-OS-000480-GPOS-00225, 5.5.3

Description

To configure the number of retry prompts that are permitted per-session:

Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=3, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.

Rationale

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

OVAL details

check the configuration of /etc/pam.d/system-auth  passed because these items were not found:

Object oval:ssg-obj_password_pam_cracklib_retry:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$1
State oval:ssg-state_password_pam_retry:ste:1 of type textfilecontent54_state
Subexpression
3

check the configuration of /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-27333-4

Set Password Maximum Consecutive Repeating Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27333-4

References:  RHEL-07-010180, SV-86539r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 2 to prevent a run of (2 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confmaxrepeat = 2
Set Password to Maximum of Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-27512-3

Set Password to Maximum of Consecutive Repeating Characters from Same Character Class

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27512-3

References:  RHEL-07-010190, SV-86541r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confmaxclassrepeat = 4
Set Password Strength Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-27214-6

Set Password Strength Minimum Digit Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27214-6

References:  RHEL-07-010140, SV-86531r2_rule, IA-5(1)(a), IA-5(b), IA-5(c), 194, CCI-000194, SRG-OS-000071-GPOS-00039, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confdcredit = -1
Set Password Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-27293-0

Set Password Minimum Length

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27293-0

References:  RHEL-07-010280, SV-86559r1_rule, IA-5(1)(a), CCI-000205, SRG-OS-000078-GPOS-00046, Req-8.2.3, 6.3.2, 5.6.2.1.1

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confminlen = 15
Set Password Strength Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-27200-5

Set Password Strength Minimum Uppercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27200-5

References:  RHEL-07-010120, SV-86527r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000192, SRG-OS-000069-GPOS-00037, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confucredit = -1
Set Password Strength Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-27360-7

Set Password Strength Minimum Special Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27360-7

References:  RHEL-07-010150, SV-86533r1_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-001619, SRG-OS-000266-GPOS-00101

Description

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confocredit = -1
Set Password Strength Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-27345-8

Set Password Strength Minimum Lowercase Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27345-8

References:  RHEL-07-010130, SV-86529r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000193, SRG-OS-000070-GPOS-00038, Req-8.2.3

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.conflcredit = -1
Set Password Strength Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-26631-2

Set Password Strength Minimum Different Characters

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_difok
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-26631-2

References:  RHEL-07-010160, SV-86535r1_rule, IA-5(b), IA-5(c), IA-5(1)(b), CCI-000195, SRG-OS-000072-GPOS-00040, 5.6.2.1.1

Description

The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confdifok = 8
Set Password Strength Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-27115-5

Set Password Strength Minimum Different Categories

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27115-5

References:  RHEL-07-010170, SV-86537r1_rule, IA-5, CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: 

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf  passed because of these items:

PathContent
/etc/security/pwquality.confminclass = 4
Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-27350-8

Set Deny For Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27350-8

References:  RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.6, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

OVAL details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.  passed because of these items:

PathContent
/etc/pam.d/system-auth auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock.so is called in account phase before pam_unix  passed because of these items:

PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix  passed because of these items:

PathContent
/etc/pam.d/password-auth auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock_so is called in account phase before pam_unix.  passed because of these items:

PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value  passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin/etc/pam.d/system-auth1
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Subexpression
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail  passed because of these items:

PathContent
/etc/pam.d/system-auth auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value  passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin/etc/pam.d/password-auth1
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Subexpression
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.  passed because of these items:

PathContent
/etc/pam.d/password-auth auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3
Set Lockout Time For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-26884-7

Set Lockout Time For Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-26884-7

References:  RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.7, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

OVAL details

check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-authauth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth  passed because of these items:

PathContent
/etc/pam.d/password-authauth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth  passed because of these items:

PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80353-6

Configure the root Account for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80353-6

References:  RHEL-07-010330, SV-86569r1_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

Description

To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Modify the following line in the AUTH section to add even_deny_root: 
    auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=never fail_interval=900
  • Modify the following line in the AUTH section to add even_deny_root: 
    auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=never fail_interval=900

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL details

Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-auth auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)  passed because of these items:

PathContent
/etc/pam.d/system-auth auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth  passed because of these items:

PathContent
/etc/pam.d/password-auth auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)  passed because of these items:

PathContent
/etc/pam.d/password-auth auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-27297-1

Set Interval For Counting Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27297-1

References:  RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

Description

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an accounts after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • Add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so

Rationale

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL details

check maximum preauth fail_interval allowed in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum authfail fail_interval allowed in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-authauth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum authfail fail_interval allowed in /etc/pam.d/password-auth  passed because of these items:

PathContent
/etc/pam.d/password-authauth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum preauth fail_interval allowed in /etc/pam.d/password-auth  passed because of these items:

PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900
Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-26923-3

Limit Password Reuse

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-26923-3

References:  RHEL-07-010270, SV-86557r1_rule, IA-5(f), IA-5(1)(e), CCI-000200, SRG-OS-000077-GPOS-00045, Req-8.2.5, 5.3.3, 5.6.2.1.1, 3.5.8

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

  • for the pam_unix.so case: 
    password sufficient pam_unix.so ...existing_options... remember=5
  • for the pam_pwhistory.so case: 
    password requisite pam_pwhistory.so ...existing_options... remember=5
The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

OVAL details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth  passed because of these items:

PathContent
/etc/pam.d/system-authpassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5

Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth  passed because these items were not found:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$1
State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state
Subexpression
5
Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-27104-9

Set PAM's Password Hashing Algorithm

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27104-9

References:  RHEL-07-010200, SV-86543r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: 

password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL details

check /etc/pam.d/system-auth for correct settings  passed because of these items:

PathContent
/etc/pam.d/system-authpassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-27124-7

Set Password Hashing Algorithm in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27124-7

References:  RHEL-07-010210, SV-86545r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 

ENCRYPT_METHOD SHA512

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

OVAL details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs  passed because of these items:

Var refValue
oval:ssg-variable_last_encrypt_method_instance_value:var:1SHA512
Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-27053-8

Set Password Hashing Algorithm in /etc/libuser.conf

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27053-8

References:  RHEL-07-010220, SV-86547r2_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 5.6.2.2, 3.13.11

Description

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: 

crypt_style = sha512

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL details

The password hashing algorithm should be set correctly in /etc/libuser.conf  passed because of these items:

PathContent
/etc/libuser.conf crypt_style = sha512
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-27557-8

Set Interactive Session Timeout

Rule IDxccdf_org.ssgproject.content_rule_accounts_tmout
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27557-8

References:  RHEL-07-040160, SV-86847r2_rule, AC-12, SC-10, CCI-001133, CCI-000361, SRG-OS-000163-GPOS-00072, 3.1.11

Description

Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: 

TMOUT=600

Rationale

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

OVAL details

TMOUT in /etc/profile  passed because of these items:

PathContent
/etc/profileTMOUT=600

TMOUT in /etc/profile.d/*.sh  passed because these items were not found:

Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/profile.d^.*\.sh$^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$1
State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state
Subexpression
600
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay lowCCE-80352-8

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule IDxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Result
pass
Time2018-04-30T11:15:33
Severitylow
Identifiers and References

Identifiers:  CCE-80352-8

References:  RHEL-07-010430, SV-86575r1_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00226

Description

To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: 

FAIL_DELAY 4

Rationale

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

OVAL details

check FAIL_DELAY in /etc/login.defs  passed because of these items:

PathContent
/etc/login.defsFAIL_DELAY 4
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg mediumCCE-26860-7

Verify /boot/grub2/grub.cfg User Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-26860-7

References:  AC-6(7), CCI-000225, Req-7.1, 1.4.1, 5.5.2.2, 3.4.5

Description

The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command: 

$ sudo chown root /boot/grub2/grub.cfg

Rationale

Only root should be able to modify important boot parameters.

OVAL details

/boot/grub2/grub.cfg owned by root  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/boot/grub2/grub.cfgregular004235rw------- 
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg mediumCCE-26812-8

Verify /boot/grub2/grub.cfg Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-26812-8

References:  AC-6(7), CCI-000225, Req-7.1, 1.4.1, 5.5.2.2, 3.4.5

Description

The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command: 

$ sudo chgrp root /boot/grub2/grub.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

OVAL details

/boot/grub2/grub.cfg owned by root  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/boot/grub2/grub.cfgregular004235rw------- 
Verify /boot/grub2/grub.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg mediumCCE-27054-6

Verify /boot/grub2/grub.cfg Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27054-6

References:  AC-6(7), CCI-000225, 1.4.1, 3.4.5

Description

File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command: 

$ sudo chmod 600 /boot/grub2/grub.cfg

Rationale

Proper permissions ensure that only the root user can modify important boot parameters.

OVAL details

Testing file permissions  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/boot/grub2/grub.cfgregular004235rw------- 
Set Boot Loader Passwordxccdf_org.ssgproject.content_rule_bootloader_password highCCE-27309-4

Set Boot Loader Password

Rule IDxccdf_org.ssgproject.content_rule_bootloader_password
Result
fail
Time2018-04-30T11:15:33
Severityhigh
Identifiers and References

Identifiers:  CCE-27309-4

References:  RHEL-07-010480, SV-86585r1_rule, IA-2(1), IA-5(e), AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 1.4.2, 3.4.5

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: 

$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash): 
password_pbkdf2 superusers-account password-hash
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: 
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to

Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.
OVAL details

/boot/grub2/grub.cfg does not exist  failed because of these items:

PathTypeUIDGIDSize (B)Permissions
/boot/grub2/grub.cfgregular004235rw------- 

make sure a password is defined in /boot/grub2/grub.cfg  failed because these items were missing:

Object oval:ssg-object_bootloader_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/grub2/grub.cfg^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$1

superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator  failed because these items were missing:

Object oval:ssg-object_bootloader_superuser:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/grub2/grub.cfg^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$1
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_bootloader_uefi_password mediumCCE-80354-4

Set the UEFI Boot Loader Password

Rule IDxccdf_org.ssgproject.content_rule_bootloader_uefi_password
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-80354-4

References:  RHEL-07-010490, SV-86587r1_rule, AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 3.4.5, 1.4.2

Description

The UEFI grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: 

$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash): 
password_pbkdf2 superusers-account password-hash
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: 
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to

Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.
OVAL details

/boot/efi/EFI/redhat/grub.cfg does not exist  passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_grub_cfg:obj:1 of type file_object
Filepath
/boot/efi/EFI/(redhat|fedora)/grub.cfg

make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg  passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/(redhat|fedora)/grub.cfg^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$1

superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator  passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/(redhat|fedora)/grub.cfg^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$1
Install the screen Packagexccdf_org.ssgproject.content_rule_package_screen_installed mediumCCE-27351-6

Install the screen Package

Rule IDxccdf_org.ssgproject.content_rule_package_screen_installed
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-27351-6

References:  RHEL-07-010090, SV-86521r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, 3.1.10

Description

To enable console screen locking, install the screen package: 

$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command: 
$ screen
The console can now be locked with the following key combination: 
ctrl+a x

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but des not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured.

OVAL details

package screen is installed  passed because of these items:

NameArchEpochReleaseVersionEvrSignature keyidExtended name
screenx86_64(none)0.25.20120314git3c2946.el74.1.00:4.1.0-0.25.20120314git3c2946.el7199e2f91fd431d51screen-0:4.1.0-0.25.20120314git3c2946.el7.x86_64
Enable Smart Card Loginxccdf_org.ssgproject.content_rule_smartcard_auth mediumCCE-80207-4

Enable Smart Card Login

Rule IDxccdf_org.ssgproject.content_rule_smartcard_auth
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80207-4

References:  RHEL-07-010500, SV-86589r1_rule, IA-2(2), CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, Req-8.3, SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058

Description

To enable smart card authentication, consult the documentation at:

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:

Rationale

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

OVAL details

Test ocsp_on in /etc/pam_pkcs11/pkcs11.conf  passed because of these items:

PathContent
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, signature, ocsp_on;

Test smartcard authentication is enabled in /etc/pam.d/system-auth file  passed because of these items:

PathContent
/etc/pam.d/system-auth auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

Test smartcard authentication is required in /etc/pam.d/system-auth file  passed because these items were not found:

Object oval:ssg-object_smart_card_required_system_auth:obj:1 of type textfilecontent54_object
BehaviorsFilepathPatternInstance
\nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\nno value/etc/pam.d/system-auth1

Test smartcard authentication is required in /etc/pam.d/smartcard-auth file  passed because of these items:

PathContent
/etc/pam.d/smartcard-auth auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password required pam_pkcs11.so
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-27287-2

Require Authentication for Single User Mode

Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
Result
pass
Time2018-04-30T11:15:33
Severitymedium
Identifiers and References

Identifiers:  CCE-27287-2

References:  IA-2(1), AC-3, CCI-000213, 3.1.1, 3.4.5, 1.4.3, SRG-OS-000080-GPOS-00048, RHEL-07-010481

Description

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

OVAL details

Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  passed because of these items:

PathContent
/usr/lib/systemd/system/rescue.serviceExecStart=-/bin/sh -c "/usr/sbin/sulogin

Tests that the systemd rescue.service is in the runlevel1.target  passed because of these items:

PathContent
/usr/lib/systemd/system/runlevel1.targetRequires=sysinit.target rescue.service

look for runlevel1.target in /etc/systemd/system  passed because these items were not found:

Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^runlevel1.target$

look for rescue.service in /etc/systemd/system  passed because these items were not found:

Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^rescue.service$
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-80206-6

Disable debug-shell SystemD Service

Rule IDxccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80206-6

References:  3.4.5

Description

SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is disabled. The debug-shell service can be disabled with the following command: 

$ sudo systemctl disable debug-shell.service

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the debug-shell service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object
UnitProperty
debug-shell\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_debug-shell:ste:1 of type systemdunitproperty_state
Value
inactive
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-80449-2

Disable Ctrl-Alt-Del Burst Action

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
Result
pass
Time2018-04-30T11:15:34
Severityhigh
Identifiers and References

Identifiers:  CCE-80449-2

References:  AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.4.5

Description

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: 

CtrlAltDelBurstAction=none

Rationale

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Warnings
warning  Disabling the Ctrl-Alt-Del key sequence with SystemD DOES NOT disable the Ctrl-Alt-Del key sequence if running in graphical.target mode (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical multi-user.target mode.
OVAL details

check if CtrlAltDelBurstAction is set to none  passed because of these items:

PathContent
/etc/systemd/system.confCtrlAltDelBurstAction=none
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-27511-5

Disable Ctrl-Alt-Del Reboot Activation

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
Result
pass
Time2018-04-30T11:15:34
Severityhigh
Identifiers and References

Identifiers:  CCE-27511-5

References:  RHEL-07-020230, SV-86617r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.4.5

Description

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: 

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or 
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.

Rationale

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Warnings
warning  Disabling the Ctrl-Alt-Del key sequence with SystemD DOES NOT disable the Ctrl-Alt-Del key sequence if running in graphical.target mode (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical multi-user.target mode.
OVAL details

Disable Ctrl-Alt-Del key sequence override exists  passed because of these items:

FilepathCanonical path
/etc/systemd/system/ctrl-alt-del.target/dev/null
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_disable_interactive_boot mediumCCE-27335-9

Verify that Interactive Boot is Disabled

Rule IDxccdf_org.ssgproject.content_rule_disable_interactive_boot
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-27335-9

References:  SC-2, AC-3, CCI-000213, 3.1.2, 3.4.5

Description

Red Hat Enterprise Linux systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 7 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of 

systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot.

Rationale

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Warnings
warning  The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the 
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
OVAL details

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX  passed because these items were not found:

Object oval:ssg-object_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$1

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT  passed because these items were not found:

Object oval:ssg-object_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$1
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-26970-4

Enable GNOME3 Login Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-26970-4

References:  RHEL-07-010030, SV-86483r2_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, OS-SRG-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, 3.1.9

Description

In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: 

[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

GUI banner is enabled  passed because these items were not found:

Object oval:ssg-obj_banner_gui_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$1

GUI banner cannot be changed by user  passed because these items were not found:

Object oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/banner-message-enable$1
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-27303-7

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-27303-7

References:  RHEL-07-010050, SV-86487r1_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, 1.7.1.2, 3.1.9

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

correct banner in /etc/issue  passed because of these items:

PathContent
/etc/issue-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.
Disable Kernel Parameter for Sending ICMP Redirects by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80156-3

Disable Kernel Parameter for Sending ICMP Redirects by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80156-3

References:  RHEL-07-040650, SV-86915r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80156-3

Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80156-3

References:  RHEL-07-040660, SV-86917r2_rule, AC-4, CM-7, SC-5(1), CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable Kernel Parameter for IP Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-80157-1

Disable Kernel Parameter for IP Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80157-1

References:  RHEL-07-040740, SV-86933r1_rule, CM-7, SC-5, SC-32, CCI-000366, 3.1.1, SRG-OS-000480-GPOS-00227, 3.1.20

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.ip_forward = 0

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-27434-0

Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-27434-0

References:  RHEL-07-040610, SV-86907r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80158-9

Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80158-9

References:  RHEL-07-040641, SV-87827r2_rule, CM-6(d), CM-7, SC-5, CCI-000366, CCI-001503, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Configure Kernel Parameter for Accepting Secure Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-80159-7

Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80159-7

References:  AC-4, CM-7, SC-5, CCI-001503, CCI-001551, 3.2.3, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Kernel Parameter to Log Martian Packetsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians lowCCE-80160-5

Configure Kernel Parameter to Log Martian Packets

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
Result
pass
Time2018-04-30T11:15:34
Severitylow
Identifiers and References

Identifiers:  CCE-80160-5

References:  AC-17(7), CM-7, SC-5(3), CCI-000126, 3.2.4, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Configure Kernel Parameter to Log Martian Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians lowCCE-80161-3

Configure Kernel Parameter to Log Martian Packets By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
Result
pass
Time2018-04-30T11:15:34
Severitylow
Identifiers and References

Identifiers:  CCE-80161-3

References:  AC-17(7), CM-7, SC-5(3), CCI-000126, 3.2.4, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80162-1

Configure Kernel Parameter for Accepting Source-Routed Packets By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80162-1

References:  RHEL-07-040620, SV-86909r1_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, CCI-001551, SRG-OS-000480-GPOS-00227, 3.2.1, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Configure Kernel Parameter for Accepting ICMP Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80163-9

Configure Kernel Parameter for Accepting ICMP Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80163-9

References:  RHEL-07-040640, SV-86913r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-80164-7

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80164-7

References:  AC-4, CM-7, SC-5, SC-7, CCI-001551, 3.2.3, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80165-4

Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80165-4

References:  RHEL-07-040630, SV-86911r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.5, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Configure Kernel Parameter to Ignore Bogus ICMP Error Responsesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses lowCCE-80166-2

Configure Kernel Parameter to Ignore Bogus ICMP Error Responses

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Result
pass
Time2018-04-30T11:15:34
Severitylow
Identifiers and References

Identifiers:  CCE-80166-2

References:  CM-7, SC-5, 3.2.6, 3.1.20

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Configure Kernel Parameter to Use TCP Syncookiesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-27495-1

Configure Kernel Parameter to Use TCP Syncookies

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-27495-1

References:  AC-4, SC-5(1)(2), SC-5(2), SC-5(3), CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.8, 5.10.1.1, 3.1.20

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Configure Kernel Parameter to Use Reverse Path Filtering for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-80167-0

Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80167-0

References:  AC-4, SC-5, SC-7, CCI-001551, 3.2.7, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.all.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Configure Kernel Parameter to Use Reverse Path Filtering by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-80168-8

Configure Kernel Parameter to Use Reverse Path Filtering by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80168-8

References:  AC-4, SC-5, SC-7, 3.2.7, 3.1.20

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv4.conf.default.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces lowCCE-27358-1

Deactivate Wireless Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result
pass
Time2018-04-30T11:15:34
Severitylow
Identifiers and References

Identifiers:  CCE-27358-1

References:  AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, CCI-000085, CCI-002418, 4.3.1, 3.1.16, SRG-OS-000424-GPOS-00188, RHEL-07-041010, SV-87829r1_rule

Description

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command: 

$ sudo nmcli radio wifi off

Rationale

The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

OVAL details

query /proc/net/wireless  passed because these items were not found:

Object oval:ssg-object_wireless_disable_interfaces:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/proc/net/wireless^\s*[-\w]+:1
Disable Bluetooth Servicexccdf_org.ssgproject.content_rule_service_bluetooth_disabled mediumCCE-27328-4

Disable Bluetooth Service

Rule IDxccdf_org.ssgproject.content_rule_service_bluetooth_disabled
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27328-4

References:  AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, CCI-000085, CCI-001551, 3.1.16

Description

The bluetooth service can be disabled with the following command: 

$ sudo systemctl disable bluetooth.service
$ sudo service bluetooth stop

Rationale

Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the bluetooth service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_bluetooth:obj:1 of type systemdunitproperty_object
UnitProperty
bluetooth\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_bluetooth:ste:1 of type systemdunitproperty_state
Value
inactive
Disable Bluetooth Kernel Modulesxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-27327-6

Disable Bluetooth Kernel Modules

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27327-6

References:  AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, CCI-000085, CCI-001551, 5.13.1.3, 3.1.16

Description

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: 

install bluetooth /bin/true

Rationale

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

OVAL details

kernel module bluetooth disabled  passed because of these items:

PathContent
/etc/modprobe.d/bluetooth.confinstall bluetooth /bin/true

kernel module bluetooth disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1

kernel module bluetooth disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1

kernel module bluetooth disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1

kernel module bluetooth disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1
Disable IPv6 Networking Support Automatic Loadingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 mediumCCE-80175-3

Disable IPv6 Networking Support Automatic Loading

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80175-3

References:  CM-7, CCI-001551, 3.1.20, 3.3.3

Description

To disable support for (ipv6) add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d): 

net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work.

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Disable Support for RPC IPv6xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc lowCCE-80177-9

Disable Support for RPC IPv6

Rule IDxccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-80177-9

References:  CM-7, 3.1.20

Description

RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig: 

udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -

OVAL details

Test for udp6 based rpc services  passed because these items were not found:

Object oval:ssg-obj_network_ipv6_disable_rpc_udp6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/netconfig^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$1

Test for tcp6 based rpc services  passed because these items were not found:

Object oval:ssg-obj_network_ipv6_disable_rpc_tcp6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/netconfig^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$1
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-80179-5

Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80179-5

References:  RHEL-07-040830, SV-86943r1_rule, AC-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Accepting IPv6 Router Advertisementsxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra lowCCE-80180-3

Configure Accepting IPv6 Router Advertisements

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-80180-3

References:  CM-7, 3.3.1, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.all.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting IPv6 Router Advertisementsxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra lowCCE-80181-1

Configure Accepting IPv6 Router Advertisements

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-80181-1

References:  CM-7, 3.3.1, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.default.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting IPv6 Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-80182-9

Configure Accepting IPv6 Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80182-9

References:  CM-7, CCI-001551, 3.3.2, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.all.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Configure Accepting IPv6 Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-80183-7

Configure Accepting IPv6 Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80183-7

References:  CM-7, CCI-001551, 3.3.2, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.default.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-80335-1

Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80335-1

References:  AC-4, CCI-000366, 3.1.20

Description

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding mediumCCE-80356-9

Disable Kernel Parameter for IPv6 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80356-9

References:  CM-7, SC-5, CCI-000366

Description

To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
If this is not the system's default value, add the following line to /etc/sysctl.conf: 
net.ipv6.conf.all.forwarding = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Use Privacy Extensions for Addressxccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions lowCCE-80185-2

Use Privacy Extensions for Address

Rule IDxccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-80185-2

References:  CCI-000366, 3.1.20

Description

To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface: 

IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied.

OVAL details

Enable privacy extensions on each interface  passed because of these items:

PathContent
/etc/sysconfig/network-scripts/ifcfg-loIPV6_PRIVACY=rfc3041
/etc/sysconfig/network-scripts/ifcfg-eth0IPV6_PRIVACY=rfc3041
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-27361-5

Verify firewalld Enabled

Rule IDxccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27361-5

References:  RHEL-07-040520, SV-86897r1_rule, CM-6(b), CCI-000366, 4.7, SRG-OS-000480-GPOS-00227, 3.1.3, 3.4.7

Description

The firewalld service can be enabled with the following command: 

$ sudo systemctl enable firewalld.service

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

OVAL details

Test that the firewalld service is running  passed because of these items:

UnitPropertyValue
firewalld.serviceActiveStateactive

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path
Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-27349-0

Set Default firewalld Zone for Incoming Packets

Rule IDxccdf_org.ssgproject.content_rule_set_firewalld_default_zone
Result
fail
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27349-0

References:  RHEL-07-040810, SV-86939r1_rule, CM-6(b), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227, 5.10.1, 3.1.3, 3.4.7, 3.13.6

Description

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be: 

DefaultZone=drop

Rationale

In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

OVAL details

Check /etc/firewalld/firewalld.conf DefaultZone for drop  failed because these items were missing:

Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/firewalld/firewalld.conf^DefaultZone=drop$1
Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-26828-4

Disable DCCP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-26828-4

References:  CM-7, CCI-001958, 3.5.1, 5.10.1, 3.4.6, RHEL-07-020101

Description

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install dccp /bin/true

Rationale

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

OVAL details

kernel module dccp disabled  passed because of these items:

PathContent
/etc/modprobe.d/dccp.confinstall dccp /bin/true

kernel module dccp disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+dccp\s+(/bin/false|/bin/true)$1

kernel module dccp disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1

kernel module dccp disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1

kernel module dccp disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-27106-4

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27106-4

References:  CM-7, 3.5.2, 5.10.1, 3.4.6

Description

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 

install sctp /bin/true

Rationale

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

OVAL details

kernel module sctp disabled  passed because of these items:

PathContent
/etc/modprobe.d/sctp.confinstall sctp /bin/true

kernel module sctp disabled in /etc/modprobe.conf  passed because these items were not found:

Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+sctp\s+(/bin/false|/bin/true)$1

kernel module sctp disabled in /etc/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modules-load.d^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1

kernel module sctp disabled in /run/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/modules-load.d^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1

kernel module sctp disabled in /usr/lib/modules-load.d  passed because these items were not found:

Object oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/usr/lib/modules-load.d^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1
Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-80171-2

Verify Any Configured IPSec Tunnel Connections

Rule IDxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
Result
notchecked
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80171-2

References:  RHEL-07-040820, SV-86941r1_rule, AC-4, CCI-000336, SRG-OS-000480-GPOS-00227

Description

Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection.

Rationale

IP tunneling mechanisms can be used to bypass network filtering.

Evaluation messages
info  
No candidate or applicable check found.
Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-80174-6

Ensure System is Not Acting as a Network Sniffer

Rule IDxccdf_org.ssgproject.content_rule_network_sniffer_disabled
Result
pass
Time2018-04-30T11:15:34
Severitymedium
Identifiers and References

Identifiers:  CCE-80174-6

References:  RHEL-07-040670, SV-86919r1_rule, CM-7, CM-7(2).1(i), MA-3, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: 

$ ip link | grep PROMISC

Rationale

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.

OVAL details

check all network interfaces for PROMISC flag  passed because these items were not found:

Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object
NameFilter
^.*$oval:ssg-state_promisc:ste:1
State oval:ssg-state_promisc:ste:1 of type interface_state
Flag
PROMISC
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-80380-9

Ensure cron Is Logging To Rsyslog

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80380-9

References:  RHEL-07-021100, SV-86675r1_rule, AU-2(d), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: 

cron.*                                                  /var/log/cron

Rationale

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

OVAL details

cron is configured in /etc/rsyslog.conf  passed because of these items:

PathContent
/etc/rsyslog.confcron.* /var/log/cron

cron is configured in /etc/rsyslog.d  passed because these items were not found:

Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d^.*$^[\s]*cron\.\*[\s]*/var/log/cron$1
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost lowCCE-27343-3

Ensure Logs Sent To Remote Host

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27343-3

References:  RHEL-07-031000, SV-86833r1_rule, AU-3(2), AU-4(1), AU-9, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 4.2.1.4, SRG-OS-000480-GPOS-00227

Description

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: 

*.* @loghost.example.com

To use TCP for log message delivery: 
*.* @@loghost.example.com

To use RELP for log message delivery: 
*.* :omrelp:loghost.example.com

There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.

Rationale

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

OVAL details

Ensures system configured to export logs to remote host  passed because of these items:

PathContent
/etc/rsyslog.conf*.* @

Ensures system configured to export logs to remote host  passed because these items were not found:

Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d.*^\*\.\*[\s]+(?:@|\:omrelp\:)1
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten lowCCE-80192-8

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_nolisten
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-80192-8

References:  RHEL-07-031010, SV-86835r1_rule, AU-9(2), AC-4, CM-6(c), CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227

Description

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf: 

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

Rationale

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

OVAL details

Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun  passed because these items were not found:

Object oval:ssg-object_rsyslog_nolisten:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun1
Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-27348-2

Configure auditd Number of Logs Retained

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27348-2

References:  AU-1(b), AU-11, IR-5, Req-10.7, 5.4.1.1, 3.3.1

Description

Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5: 

num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

Rationale

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL details

admin space left action   passed because of these items:

PathContent
/etc/audit/auditd.confnum_logs = 5
Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-27319-3

Configure auditd Max Log File Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27319-3

References:  AU-1(b), AU-11, IR-5, Req-10.7, 5.2.1.1, 5.4.1.1

Description

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB: 

max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

Rationale

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL details

max log file size  passed because of these items:

PathContent
/etc/audit/auditd.confmax_log_file = 8
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-27231-0

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27231-0

References:  AU-1(b), AU-4, AU-11, IR-5, Req-10.7, 5.2.1.3, 5.4.1.1

Description

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 

max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.

Rationale

Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

OVAL details

admin space left action   passed because of these items:

PathContent
/etc/audit/auditd.confmax_log_file_action = ROTATE
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-27375-5

Configure auditd space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27375-5

References:  AU-1(b), AU-4, AU-5(1), AU-5(b), IR-5, CCI-001855, Req-10.7, 5.2.1.2, SRG-OS-000343-GPOS-00134, 030340, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: 

space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Rationale

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL details

space left action  passed because of these items:

PathContent
/etc/audit/auditd.confspace_left_action = email
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-27370-6

Configure auditd admin_space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27370-6

References:  AU-1(b), AU-4, AU-5(b), IR-5, CCI-000140, CCI-001343, Req-10.7, 5.2.1.2, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 

admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

Rationale

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

OVAL details

space left action  passed because of these items:

PathContent
/etc/audit/auditd.confadmin_space_left_action = single
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-27394-6

Configure auditd mail_acct Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27394-6

References:  RHEL-07-030350, SV-86717r2_rule, AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, CCI-001855, Req-10.7.a, 5.2.1.2, SRG-OS-000343-GPOS-00134, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: 

action_mail_acct = root

Rationale

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

OVAL details

email account for actions  passed because of these items:

PathContent
/etc/audit/auditd.confaction_mail_acct = root
Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush lowCCE-27331-8

Configure auditd flush priority

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_flush
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27331-8

References:  AU-9, AU-12(1), CCI-001576, 3.3.1

Description

The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: 

flush = data

Rationale

Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.

OVAL details

test the value of flush parameter in /etc/audit/auditd.conf  passed because of these items:

PathContent
/etc/audit/auditd.confflush = data
Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated mediumCCE-27341-7

Configure auditd to use audispd's syslog plugin

Rule IDxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27341-7

References:  AU-1(b), AU-3(2), IR-5, CCI-000136, Req-10.5.3, 5.4.1.1, 3.3.1

Description

To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: 

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server

OVAL details

audispd syslog plugin activated  passed because of these items:

PathContent
/etc/audisp/plugins.d/syslog.confactive = yes
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex lowCCE-27290-6

Record attempts to alter time through adjtimex

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27290-6

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit augenrules 32-bit adjtimex  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit augenrules 64-bit adjtimex  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

audit auditctl 32-bit adjtimex  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 64-bit adjtimex  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday lowCCE-27216-1

Record attempts to alter time through settimeofday

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27216-1

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit augenrules 32-bit settimeofday  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit augenrules 64-bit settimeofday  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

audit auditctl 32-bit settimeofday  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 64-bit settimeofday  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime lowCCE-27299-7

Record Attempts to Alter Time Through stime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_stime
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27299-7

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: 

-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit augenrules 32-bit stime  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 32-bit stime  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime lowCCE-27219-5

Record Attempts to Alter Time Through clock_settime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27219-5

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit augenrules 32-bit clock_settime  passed because of these items:

PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change

audit augenrules 64-bit clock_settime  passed because of these items:

PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change

audit auditctl 32-bit clock_settime  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change

audit auditctl 64-bit clock_settime  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime lowCCE-27310-2

Record Attempts to Alter the localtime File

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27310-2

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(b), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit /etc/localtime watch augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/audit_time_rules.rules-w /etc/localtime -p wa -k audit_time_rules

audit /etc/localtime watch auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/localtime -p wa -k audit_time_rules
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod lowCCE-27339-1

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27339-1

References:  RHEL-07-030410, SV-86729r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit chmod  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chmod  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chmod  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit chmod  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown lowCCE-27364-9

Record Events that Modify the System's Discretionary Access Controls - chown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27364-9

References:  RHEL-07-030370, SV-86721r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit chown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit chown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod lowCCE-27393-8

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27393-8

References:  RHEL-07-030420, SV-86731r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fchmod  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmod  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmod  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchmod  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat lowCCE-27388-8

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27388-8

References:  RHEL-07-030430, SV-86733r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fchmodat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmodat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmodat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchmodat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown lowCCE-27356-5

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27356-5

References:  RHEL-07-030380, SV-86723r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fchown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat lowCCE-27387-0

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27387-0

References:  RHEL-07-030400, SV-86727r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fchownat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchownat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchownat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchownat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-27353-2

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27353-2

References:  RHEL-07-030480, SV-86743r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fremovexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fremovexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fremovexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fremovexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr lowCCE-27389-6

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27389-6

References:  RHEL-07-030450, SV-86737r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit fsetxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fsetxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fsetxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fsetxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown lowCCE-27083-5

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27083-5

References:  RHEL-07-030390, SV-86725r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit lchown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lchown  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lchown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lchown  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-27410-0

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27410-0

References:  RHEL-07-030490, SV-86745r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit lremovexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lremovexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lremovexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lremovexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr lowCCE-27280-7

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27280-7

References:  RHEL-07-030460, SV-86739r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit lsetxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lsetxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lsetxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lsetxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-27367-2

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27367-2

References:  RHEL-07-030470, SV-86741r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit removexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit removexattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit removexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit removexattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr lowCCE-27213-8

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27213-8

References:  RHEL-07-030440, SV-86735r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit setxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit setxattr  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit setxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit setxattr  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Record Unauthorized Access Attempts to Files (unsuccessful) - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80385-8

Record Unauthorized Access Attempts to Files (unsuccessful) - creat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80385-8

References:  RHEL-07-030500, SV-86747r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Unauthorized Access Attempts to Files (unsuccessful) - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80386-6

Record Unauthorized Access Attempts to Files (unsuccessful) - open

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80386-6

References:  RHEL-07-030510, SV-86749r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Unauthorized Access Attempts to Files (unsuccessful) - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80387-4

Record Unauthorized Access Attempts to Files (unsuccessful) - openat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80387-4

References:  RHEL-07-030520, SV-86751r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-80388-2

Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80388-2

References:  RHEL-07-030530, SV-86753r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Unauthorized Access Attempts to Files (unsuccessful) - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80389-0

Record Unauthorized Access Attempts to Files (unsuccessful) - truncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80389-0

References:  RHEL-07-030540, SV-86755r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80390-8

Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80390-8

References:  RHEL-07-030550, SV-86757r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL details

audit augenrules 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eaccess  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 64-bit file eperm  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-80391-6

Record Any Attempts to Run semanage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80391-6

References:  RHEL-07-030560, SV-86759r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules semanage  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl semanage  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-80392-4

Record Any Attempts to Run setsebool

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80392-4

References:  RHEL-07-030570, SV-86761r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules setsebool  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl setsebool  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-80393-2

Record Any Attempts to Run chcon

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80393-2

References:  RHEL-07-030580, SV-86763r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules chcon  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chcon  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-80394-0

Record Any Attempts to Run restorecon

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon
Result
pass
Time2018-04-30T11:15:36
Severitymedium
Identifiers and References

Identifiers:  CCE-80394-0

References:  RHEL-07-030590, SV-86765r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules restorecon  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl restorecon  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-27437-3

Ensure auditd Collects Information on the Use of Privileged Commands

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
Result
fail
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27437-3

References:  RHEL-07-030360, SV-86719r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, CCI-002234, SRG-OS-000327-GPOS-00127, Req-10.2.2, 5.2.10, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: 

$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules suid sgid  failed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit augenrules binaries count matches rules count  failed because of these items:

Var refValue
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:127

audit auditctl suid sgid  failed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit auditctl binaries count matches rules count  failed because of these items:

Var refValue
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:127
Remediation Shell script:   (show)



# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Function to perform remediation for 'audit_rules_privileged_commands' rule
#
# Expects two arguments:
#
# audit_tool		tool used to load audit rules
# 			One of 'auditctl' or 'augenrules'
#
# min_auid		Minimum original ID the user logged in with
# 			'500' for RHEL-6 and before, '1000' for RHEL-7 and after.
#
# Example Call(s):
#
#      perform_audit_rules_privileged_commands_remediation "auditctl" "500"
#      perform_audit_rules_privileged_commands_remediation "augenrules"	"1000"
#
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"

# Check sanity of the input
if [ $# -ne "2" ]
then
	echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
	echo "Aborting."
	exit 1
fi

declare -a files_to_inspect=()

# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
	echo "Unknown audit rules loading tool: $1. Aborting."
	echo "Use either 'auditctl' or 'augenrules'!"
	exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
#   missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
	files_to_inspect=("/etc/audit/audit.rules")
	output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
#   (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
#   missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
	IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -print))
	output_audit_file="/etc/audit/rules.d/privileged.rules"
fi

# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null))

# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()

# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do

	# Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
	sbinary_esc=${sbinary//$'/'/$'\/'}
	# Check if this sbinary wasn't already handled in some of the previous iterations
	# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
	if [[ $(sed -ne "/${sbinary_esc}$/p" <<< ${sbinaries_to_skip[@]}) ]]
	then
		# If so, don't process it second time & go to process next sbinary
		continue
	fi

	# Reset the counter of inspected files when starting to check
	# presence of existing audit rule for new sbinary
	local count_of_inspected_files=0

	# Define expected rule form for this binary
	expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged"

	# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
	if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
		echo "$expected_rule" >> "$output_audit_file"
		continue
	fi

	# For each audit rules file from the list of files to be inspected
	for afile in "${files_to_inspect[@]}"
	do

		# Search current audit rules file's content for match. Match criteria:
		# * existing rule is for the same SUID/SGID binary we are currently processing (but
		#   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
		# * existing rule contains all arguments from expected rule form (though can contain
		#   them in arbitrary order)
	
		base_search=$(sed -e "/-a always,exit/!d" -e "/-F path=${sbinary_esc}$/!d"   \
		    		  -e "/-F path=[^[:space:]]\+/!d" -e "/-F perm=.*/!d"       \
				  -e "/-F auid>=${min_auid}/!d" -e "/-F auid!=4294967295/!d"  \
				  -e "/-k privileged/!d" $afile)

		# Increase the count of inspected files for this sbinary
		count_of_inspected_files=$((count_of_inspected_files + 1))

		# Require execute access type to be set for existing audit rule
		exec_access='x'

		# Search current audit rules file's content for presence of rule pattern for this sbinary
		if [[ $base_search ]]
		then

			# Current audit rules file already contains rule for this binary =>
			# Store the exact form of found rule for this binary for further processing
			concrete_rule=$base_search

			# Select all other SUID/SGID binaries possibly also present in the found rule
			IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< $concrete_rule))
			IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/})

			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
			sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo $i; done | sort -du))

			# Separate concrete_rule into three sections using hash '#'
			# sign as a delimiter around rule's permission section borders
			concrete_rule=$(echo $concrete_rule | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")

			# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
			IFS=$'#' read rule_head rule_perm rule_tail <<<  "$concrete_rule"

			# Extract already present exact access type [r|w|x|a] from rule's permission section
			access_type=${rule_perm//-F perm=/}

			# Verify current permission access type(s) for rule contain 'x' (execute) permission
			if ! grep -q "$exec_access" <<< "$access_type"
			then

				# If not, append the 'x' (execute) permission to the existing access type bits
				access_type="$access_type$exec_access"
				# Reconstruct the permissions section for the rule
				new_rule_perm="-F perm=$access_type"
				# Update existing rule in current audit rules file with the new permission section
				sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" $afile

			fi

		# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
		#
		# * in the "auditctl" mode of operation insert particular rule each time
		#   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
		#
		# * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
		#   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
		#   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
		#
		elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
		then

			# Current audit rules file's content doesn't contain expected rule for this
			# SUID/SGID binary yet => append it
			echo $expected_rule >> $output_audit_file
			continue
		fi

	done

done
}	

perform_audit_rules_privileged_commands_remediation "auditctl" "1000"
perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict

- name: Search for privileged commands
  shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat"
  check_mode: no
  register: find_result
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360

# Inserts/replaces the rule in /etc/audit/rules.d

- name: Search /etc/audit/rules.d for audit rule entries
  find:
    paths: "/etc/audit/rules.d"
    recurse: no
    contains: "^.*path={{ item }} .*$"
    patterns: "*.rules"
  with_items:
    - "{{ find_result.stdout_lines }}"
  register: files_result
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
  
- name: Overwrites the rule in rules.d
  lineinfile:
    path: "{{ item.1.path }}"
    line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: no
    regexp: "^.*path={{ item.0.item }} .*$"
  with_subelements:
    - "{{ files_result.results }}"
    - files
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
    
- name: Adds the rule in rules.d
  lineinfile:
    path: /etc/audit/rules.d/privileged.rules
    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
  with_items:
    - "{{ files_result.results }}"
  when: item.matched == 0
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
  
# Adds/overwrites the rule in /etc/audit/audit.rules

- name: Inserts/replaces the rule in audit.rules
  lineinfile:
    path: /etc/audit/audit.rules
    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
    regexp: "^.*path={{ item.item }} .*$"
  with_items:
    - "{{ files_result.results }}"
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-80395-7

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80395-7

References:  RHEL-07-030630, SV-86773r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules passwd  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl passwd  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-80396-5

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80396-5

References:  RHEL-07-030640, SV-86775r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules unix_chkpwd  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl unix_chkpwd  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-80397-3

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80397-3

References:  RHEL-07-030650, SV-86777r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules gpasswd  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl gpasswd  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-80398-1

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80398-1

References:  RHEL-07-030660, SV-86779r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules chage  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chage  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-80399-9

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80399-9

References:  RHEL-07-030670, SV-86781r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules userhelper  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl userhelper  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-80400-5

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80400-5

References:  RHEL-07-030680, SV-86783r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules su  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl su  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80401-3

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80401-3

References:  RHEL-07-030690, SV-86785r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules sudo  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl sudo  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-80402-1

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80402-1

References:  RHEL-07-030730, SV-86793r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules sudoedit  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl sudoedit  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-80403-9

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80403-9

References:  RHEL-07-030710, SV-86789r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules newgrp  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl newgrp  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-80404-7

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80404-7

References:  RHEL-07-030720, SV-86791r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules chsh  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chsh  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-80405-4

Ensure auditd Collects Information on the Use of Privileged Commands - umount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80405-4

References:  RHEL-07-030750, SV-86797r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules umount  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl umount  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-80406-2

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80406-2

References:  RHEL-07-030760, SV-86799r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules postdrop  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl postdrop  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-80407-0

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80407-0

References:  RHEL-07-030770, SV-86801r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules postqueue  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl postqueue  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-80408-8

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80408-8

References:  RHEL-07-030780, SV-86803r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules ssh_keysign  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl ssh_keysign  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-80410-4

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80410-4

References:  RHEL-07-030800, SV-86807r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules crontab  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl crontab  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-80411-2

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80411-2

References:  RHEL-07-030810, SV-86809r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules pam_timestamp_check  passed because of these items:

PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl pam_timestamp_check  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Ensure auditd Collects File Deletion Events by Userxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events mediumCCE-27206-2

Ensure auditd Collects File Deletion Events by User

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27206-2

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, 5.2.14, CCI-000366, CCI-000172, CCI-002884, 5.4.1.1, 3.1.7

Description

At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-80412-0

Ensure auditd Collects File Deletion Events by User - rmdir

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80412-0

References:  RHEL-07-030900, SV-86827r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

OVAL details

audit augenrules 32-bit rmdir  passed because of these items:

PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit augenrules 64-bit rmdir  passed because of these items:

PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 32-bit rmdir  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 64-bit rmdir  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-27206-2

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27206-2

References:  RHEL-07-030920, SV-86831r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

OVAL details

audit augenrules 32-bit unlinkat  passed because of these items:

PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit unlinkat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 32-bit unlinkat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 64-bit unlinkat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-27206-2

Ensure auditd Collects File Deletion Events by User - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27206-2

References:  RHEL-07-030880, SV-86823r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

OVAL details

audit augenrules 32-bit rename  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit augenrules 64-bit rename  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 32-bit rename  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 64-bit rename  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80413-8

Ensure auditd Collects File Deletion Events by User - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80413-8

References:  RHEL-07-030890, SV-86825r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

OVAL details

audit augenrules 32-bit renameat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit augenrules 64-bit renameat  passed because of these items:

PathContent
/etc/audit/rules.d/.rules-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 32-bit renameat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

audit auditctl 64-bit renameat  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80414-6

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80414-6

References:  RHEL-07-030820, SV-86811r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 

-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules 32-bit init_module  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S init_module -k modules

audit augenrules 64-bit init_module  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S init_module -k modules

audit auditctl 32-bit init_module  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S init_module -k modules

audit auditctl 64-bit init_module  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S init_module -k modules
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80415-3

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80415-3

References:  RHEL-07-030830, SV-86813r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 

-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules 32-bit delete_module  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S delete_module -k modules

audit augenrules 64-bit delete_module  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S delete_module -k modules

audit auditctl 32-bit delete_module  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S delete_module -k modules

audit auditctl 64-bit delete_module  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S delete_module -k modules
Ensure auditd Collects Information on Kernel Module Loading - insmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod mediumCCE-80446-8

Ensure auditd Collects Information on Kernel Module Loading - insmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80446-8

References:  RHEL-07-030840, SV-86815r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of insmod, utility used to insert modules into kernel, use the following line: 

-w /usr/sbin/insmod -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules insmod  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-w /usr/sbin/insmod -p x -k modules

audit auditctl insmod  passed because of these items:

PathContent
/etc/audit/audit.rules-w /usr/sbin/insmod -p x -k modules
Ensure auditd Collects Information on Kernel Module Unloading - rmmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod mediumCCE-80416-1

Ensure auditd Collects Information on Kernel Module Unloading - rmmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80416-1

References:  RHEL-07-030850, SV-86817r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: 

-w /usr/sbin/rmmod -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules rmmod  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-w /usr/sbin/rmmod -p x -k modules

audit auditctl rmmod  passed because of these items:

PathContent
/etc/audit/audit.rules-w /usr/sbin/rmmod -p x -k modules
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe mediumCCE-80417-9

Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-80417-9

References:  RHEL-07-030860, SV-86819r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: 

-w /usr/sbin/modprobe -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules modprobe  passed because of these items:

PathContent
/etc/audit/rules.d/modules.rules-w /usr/sbin/modprobe -p x -k modules

audit auditctl modprobe  passed because of these items:

PathContent
/etc/audit/audit.rules-w /usr/sbin/modprobe -p x -k modules
Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown mediumCCE-80381-7

Shutdown System When Auditing Failures Occur

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80381-7

References:  RHEL-07-030010, SV-86705r1_rule, AU-5, AU-5(a), CCI-000139, SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023, 3.3.1, 3.3.4

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-f 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file: 
-f 2

Rationale

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

OVAL details

audit augenrules configuration shutdown  passed because of these items:

PathContent
/etc/audit/rules.d/immutable.rules-f 2

audit auditctl configuration shutdown  passed because of these items:

PathContent
/etc/audit/audit.rules-f 2
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80433-6

Record Events that Modify User/Group Information - /etc/group

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80433-6

References:  RHEL-07-030871, SV-87817r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules group  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/group -p wa -k audit_rules_usergroup_modification

audit group  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/group -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80432-8

Record Events that Modify User/Group Information - /etc/gshadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80432-8

References:  RHEL-07-030872, SV-87819r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules gshadow  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit gshadow  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80431-0

Record Events that Modify User/Group Information - /etc/shadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80431-0

References:  RHEL-07-030873, SV-87823r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules shadow  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit shadow  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80435-1

Record Events that Modify User/Group Information - /etc/passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80435-1

References:  RHEL-07-030870, SV-86821r3_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules passwd  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit passwd  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80430-2

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80430-2

References:  RHEL-07-030874, SV-87825r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules opasswd  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit opasswd  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification lowCCE-27076-9

Record Events that Modify the System's Network Environment

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27076-9

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.4.1.1, 5.2.6, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

Rationale

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

OVAL details

audit /etc/issue augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit /etc/issue auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-27205-4

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27205-4

References:  AC-6, AU-1(b), AU-9, IR-5, Req-10.5, 5.4.1.1, 3.3.1

Description

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: 

$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command: 
$ sudo chmod 0600 audit_file

Rationale

If users can write to audit logs, audit trails can be modified or destroyed.

OVAL details

/var/log/audit files mode 0600  passed because these items were not found:

Object oval:ssg-object_var_log_audit_files:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/audit^.*$oval:ssg-state_not_mode_0600:ste:1
State oval:ssg-state_not_mode_0600:ste:1 of type file_state
SuidSgidStickyUexecGreadGwriteGexecOreadOwriteOexec
truetruetruetruetruetruetruetruetruetrue

/var/log/audit files mode 0640  passed because these items were not found:

Object oval:ssg-object_var_log_audit_files-non_root:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/audit^.*$oval:ssg-state_not_mode_0640:ste:1
State oval:ssg-state_not_mode_0640:ste:1 of type file_state
SuidSgidStickyUexecGwriteGexecOreadOwriteOexec
truetruetruetruetruetruetruetruetrue
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-80125-8

System Audit Logs Must Be Owned By Root

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-80125-8

References:  AC-6, AU-1(b), AU-9, IR-5, CCI-000163, SRG-OS-000058-GPOS-00028, Req-10.5.1, 5.4.1.1, 3.3.1

Description

All audit logs must be owned by root user and group. By default, the path for audit log is 

/var/log/audit/
. To properly set the owner of /var/log/audit, run the command: 
$ sudo chown root /var/log/audit
To properly set the owner of /var/log/audit/*, run the command: 
$ sudo chown root /var/log/audit/*

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

OVAL details

/var/log/audit files uid root gid root  passed because these items were not found:

Object oval:ssg-object_ownership_var_log_audit_files:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/audit^.*$oval:ssg-state_owner_not_root_root_var_log_audit:ste:1

/var/log/audit directories uid root gid root  passed because these items were not found:

Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/auditno valueoval:ssg-state_owner_not_root_root_var_log_audit:ste:1

/var/log/audit files uid root gid root  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/log/audit/audit.logregular00924774rw------- 

/var/log/audit directories uid root gid root  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/log/audit/directory0023rwx------ 
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification lowCCE-27168-4

Record Events that Modify the System's Mandatory Access Controls

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_mac_modification
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27168-4

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.2.7, 5.4.1.1, 3.1.8

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/selinux/ -p wa -k MAC-policy

Rationale

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

OVAL details

audit selinux changes augenrules  passed because of these items:

PathContent
/etc/audit/rules.d/MAC-policy.rules-w /etc/selinux/ -p wa -k MAC-policy

audit selinux changes auditctl  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/selinux/ -p wa -k MAC-policy
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events lowCCE-27301-1

Record Attempts to Alter Process and Session Initiation Information

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events
Result
pass
Time2018-04-30T11:15:35
Severitylow
Identifiers and References

Identifiers:  CCE-27301-1

References:  AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.3, 5.2.9, 5.4.1.1, 3.1.7

Description

The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

OVAL details

audit augenrules utmp  passed because of these items:

PathContent
/etc/audit/rules.d/session.rules-w /var/run/utmp -p wa -k session

audit augenrules btmp  passed because of these items:

PathContent
/etc/audit/rules.d/session.rules-w /var/log/btmp -p wa -k session

audit augenrules wtmp  passed because of these items:

PathContent
/etc/audit/rules.d/session.rules-w /var/log/wtmp -p wa -k session

audit auditctl utmp  passed because of these items:

PathContent
/etc/audit/audit.rules-w /var/run/utmp -p wa -k session

audit auditctl btmp  passed because of these items:

PathContent
/etc/audit/audit.rules-w /var/log/btmp -p wa -k session

audit auditctl wtmp  passed because of these items:

PathContent
/etc/audit/audit.rules-w /var/log/wtmp -p wa -k session
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-27447-2

Ensure auditd Collects Information on Exporting to Media (successful)

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_media_export
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27447-2

References:  RHEL-07-030740, SV-86795r3_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000135, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.13, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

Rationale

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

OVAL details

audit augenrules mount 32-bit  passed because of these items:

PathContent
/etc/audit/rules.d/export.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit augenrules mount 64-bit  passed because of these items:

PathContent
/etc/audit/rules.d/export.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 32-bit  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 64-bit  passed because of these items:

PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions lowCCE-27461-3

Ensure auditd Collects System Administrator Actions

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
Result
pass
Time2018-04-30T11:15:53
Severitylow
Identifiers and References

Identifiers:  CCE-27461-3

References:  RHEL-07-030700, SV-86787r3_rule, AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

Rationale

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

OVAL details

audit augenrules sudoers  passed because of these items:

PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers -p wa -k actions

audit auditctl sudoers  passed because of these items:

PathContent
/etc/audit/audit.rules-w /etc/sudoers -p wa -k actions
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-27097-5

Make the auditd Configuration Immutable

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27097-5

References:  AC-6, AU-1(b), AU-2(a), AU-2(c), AU-2(d), IR-5, Req-10.5.2, 4.1.18, 5.4.1.1, 3.3.1, 3.4.3

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: 

-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules.

Rationale

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation

OVAL details

audit augenrules configuration locked  passed because of these items:

PathContent
/etc/audit/rules.d/immutable.rules-e 2

audit auditctl configuration locked  passed because of these items:

PathContent
/etc/audit/audit.rules-e 2
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled highCCE-27407-6

Enable auditd Service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
pass
Time2018-04-30T11:15:35
Severityhigh
Identifiers and References

Identifiers:  CCE-27407-6

References:  RHEL-07-030000, SV-86703r1_rule, AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, CCI-000126, CCI-000131, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, Req-10, 4.1.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6

Description

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: 

$ sudo systemctl enable auditd.service

Rationale

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

OVAL details

Test that the auditd service is running  passed because of these items:

UnitPropertyValue
auditd.serviceActiveStateactive

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_bootloader_audit_argument mediumCCE-27212-0

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_bootloader_audit_argument
Result
pass
Time2018-04-30T11:15:35
Severitymedium
Identifiers and References

Identifiers:  CCE-27212-0

References:  AC-17(1), AU-14(1), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-10, IR-5, CCI-001464, CCI-000130, Req-10.3, 4.1.3, 5.4.1.1, 3.3.1

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: 

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Warnings
warning  The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the 
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
OVAL details

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  passed because of these items:

PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 nousb audit=1"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  passed because these items were not found:

Object oval:ssg-object_bootloader_audit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1
State oval:ssg-state_bootloader_audit_argument:ste:1 of type textfilecontent54_state
Subexpression
^.*audit=1.*$
Disable xinetd Servicexccdf_org.ssgproject.content_rule_service_xinetd_disabled mediumCCE-27443-1

Disable xinetd Service

Rule IDxccdf_org.ssgproject.content_rule_service_xinetd_disabled
Result
pass
Time2018-04-30T11:15:53
Severitymedium
Identifiers and References

Identifiers:  CCE-27443-1

References:  AC-17(8), CM-7, CCI-000305, 3.4.7, 2.1.7

Description

The xinetd service can be disabled with the following command: 

$ sudo systemctl disable xinetd.service

Rationale

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the xinetd service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_xinetd:obj:1 of type systemdunitproperty_object
UnitProperty
xinetd\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_xinetd:ste:1 of type systemdunitproperty_state
Value
inactive
Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-27354-0

Uninstall xinetd Package

Rule IDxccdf_org.ssgproject.content_rule_package_xinetd_removed
Result
pass
Time2018-04-30T11:15:53
Severitylow
Identifiers and References

Identifiers:  CCE-27354-0

References:  AC-17(8), CM-7, CCI-000305

Description

The xinetd package can be uninstalled with the following command: 

$ sudo yum erase xinetd

Rationale

Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.

OVAL details

package xinetd is removed  passed because these items were not found:

Object oval:ssg-obj_package_xinetd_removed:obj:1 of type rpminfo_object
Name
xinetd
Disable telnet Servicexccdf_org.ssgproject.content_rule_service_telnet_disabled highCCE-27401-9

Disable telnet Service

Rule IDxccdf_org.ssgproject.content_rule_service_telnet_disabled
Result
pass
Time2018-04-30T11:15:53
Severityhigh
Identifiers and References

Identifiers:  CCE-27401-9

References:  AC-17(8), CM-7, IA-5(1)(c), 3.1.13, 3.4.7, 2.2.18

Description

The telnet service configuration file /etc/xinetd.d/telnet is not created automatically. If it was created manually, check the /etc/xinetd.d/telnet file and ensure that disable = no is changed to read disable = yes as follows below: 

# description: The telnet server serves telnet sessions; it uses \\
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream

        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = yes
}
If the /etc/xinetd.d/telnet file does not exist, make sure that the activation of the telnet service on system boot is disabled via the following command: The rexec socket can be disabled with the following command: 
$ sudo systemctl disable rexec.socket

Rationale

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the telnet service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_telnet:obj:1 of type systemdunitproperty_object
UnitProperty
telnet\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_telnet:ste:1 of type systemdunitproperty_state
Value
inactive
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-27165-0

Uninstall telnet-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result
pass
Time2018-04-30T11:15:53
Severityhigh
Identifiers and References

Identifiers:  CCE-27165-0

References:  RHEL-07-021710, SV-86701r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.1.1

Description

The telnet-server package can be uninstalled with the following command: 

$ sudo yum erase telnet-server

Rationale

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.

OVAL details

package telnet-server is removed  passed because these items were not found:

Object oval:ssg-obj_package_telnet-server_removed:obj:1 of type rpminfo_object
Name
telnet-server
Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-27305-2

Remove telnet Clients

Rule IDxccdf_org.ssgproject.content_rule_package_telnet_removed
Result
pass
Time2018-04-30T11:15:53
Severitylow
Identifiers and References

Identifiers:  CCE-27305-2

References:  2.3.4, 3.1.13

Description

The telnet client allows users to start connections to other systems via the telnet protocol.

Rationale

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux.

OVAL details

package telnet is removed  passed because these items were not found:

Object oval:ssg-obj_package_telnet_removed:obj:1 of type rpminfo_object
Name
telnet
Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-27342-5

Uninstall rsh-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_rsh-server_removed
Result
pass
Time2018-04-30T11:15:53
Severityhigh
Identifiers and References

Identifiers:  CCE-27342-5

References:  RHEL-07-020000, SV-86591r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049

Description

The rsh-server package can be uninstalled with the following command: 

$ sudo yum erase rsh-server

Rationale

The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

OVAL details

package rsh-server is removed  passed because these items were not found:

Object oval:ssg-obj_package_rsh-server_removed:obj:1 of type rpminfo_object
Name
rsh-server
Disable rexec Servicexccdf_org.ssgproject.content_rule_service_rexec_disabled highCCE-27408-4

Disable rexec Service

Rule IDxccdf_org.ssgproject.content_rule_service_rexec_disabled
Result
pass
Time2018-04-30T11:15:53
Severityhigh
Identifiers and References

Identifiers:  CCE-27408-4

References:  AC-17(8), CM-7, CCI-000068, CCI-001436, 3.1.13, 3.4.7, 2.2.17

Description

The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. If using systemd, The rexec socket can be disabled with the following command: 

$ sudo systemctl disable rexec.socket

Rationale

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the rexec service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_rexec:obj:1 of type systemdunitproperty_object
UnitProperty
rexec\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_rexec:ste:1 of type systemdunitproperty_state
Value
inactive
Disable rsh Servicexccdf_org.ssgproject.content_rule_service_rsh_disabled highCCE-27337-5

Disable rsh Service

Rule IDxccdf_org.ssgproject.content_rule_service_rsh_disabled
Result
pass
Time2018-04-30T11:15:53
Severityhigh
Identifiers and References

Identifiers:  CCE-27337-5

References:  AC-17(8), CM-7, IA-5(1)(c), CCI-000068, CCI-001436, 3.1.13, 3.4.7, 2.2.17

Description

The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. If using systemd, The rsh socket can be disabled with the following command: 

$ sudo systemctl disable rsh.socket

Rationale

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the rsh service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_rsh:obj:1 of type systemdunitproperty_object
UnitProperty
rsh\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_rsh:ste:1 of type systemdunitproperty_state
Value
inactive
Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed lowCCE-27274-0

Uninstall rsh Package

Rule IDxccdf_org.ssgproject.content_rule_package_rsh_removed
Result
pass
Time2018-04-30T11:15:53
Severitylow
Identifiers and References

Identifiers:  CCE-27274-0

References:  2.3.2, 3.1.13

Description

The rsh package contains the client commands for the rsh services

Rationale

These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin.

OVAL details

package rsh is removed  passed because these items were not found:

Object oval:ssg-obj_package_rsh_removed:obj:1 of type rpminfo_object
Name
rsh
Disable rlogin Servicexccdf_org.ssgproject.content_rule_service_rlogin_disabled highCCE-27336-7

Disable rlogin Service

Rule IDxccdf_org.ssgproject.content_rule_service_rlogin_disabled
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-27336-7

References:  AC-17(8), CM-7, IA-5(1)(c), CCI-001436, 3.1.13, 3.4.7, 2.2.17

Description

The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. If using systemd, The rlogin socket can be disabled with the following command: 

$ sudo systemctl disable rlogin.socket

Rationale

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the rlogin service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_rlogin:obj:1 of type systemdunitproperty_object
UnitProperty
rlogin\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_rlogin:ste:1 of type systemdunitproperty_state
Value
inactive
Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-27406-8

Remove Rsh Trust Files

Rule IDxccdf_org.ssgproject.content_rule_no_rsh_trust_files
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-27406-8

References:  AC-17(8), CM-7, CCI-001436, 6.2.14

Description

The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: 

$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts

Rationale

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

OVAL details

look for .rhosts or .shosts in /root  passed because these items were not found:

Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type file_object
PathFilename
/root^\.(r|s)hosts$

look for .rhosts or .shosts in /home  passed because these items were not found:

Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type file_object
BehaviorsPathFilename
no value/home^\.(r|s)hosts$

look for /etc/hosts.equiv or /etc/shosts.equiv  passed because these items were not found:

Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type file_object
PathFilename
/etc^s?hosts\.equiv$
Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-27399-5

Uninstall ypserv Package

Rule IDxccdf_org.ssgproject.content_rule_package_ypserv_removed
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-27399-5

References:  RHEL-07-020010, SV-86593r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.2.16

Description

The ypserv package can be uninstalled with the following command: 

$ sudo yum erase ypserv

Rationale

The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

OVAL details

package ypserv is removed  passed because these items were not found:

Object oval:ssg-obj_package_ypserv_removed:obj:1 of type rpminfo_object
Name
ypserv
Disable ypbind Servicexccdf_org.ssgproject.content_rule_service_ypbind_disabled mediumCCE-27385-4

Disable ypbind Service

Rule IDxccdf_org.ssgproject.content_rule_service_ypbind_disabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27385-4

References:  AC-17(8), CM-7, CCI-000305

Description

The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command: 

$ sudo systemctl disable ypbind.service

Rationale

Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the ypbind service is not running  passed because of these items:

UnitPropertyValue
ypbind.serviceActiveStateinactive
Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed lowCCE-27396-1

Remove NIS Client

Rule IDxccdf_org.ssgproject.content_rule_package_ypbind_removed
Result
pass
Time2018-04-30T11:15:54
Severitylow
Identifiers and References

Identifiers:  CCE-27396-1

References:  2.3.1

Description

The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files.

Rationale

The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

OVAL details

package ypbind is removed  passed because these items were not found:

Object oval:ssg-obj_package_ypbind_removed:obj:1 of type rpminfo_object
Name
ypbind
Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-27210-4

Uninstall talk-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_talk-server_removed
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27210-4

References:  2.2.21

Description

The talk-server package can be removed with the following command: 

$ sudo yum erase talk-server

Rationale

The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services.

OVAL details

package talk-server is removed  passed because these items were not found:

Object oval:ssg-obj_package_talk-server_removed:obj:1 of type rpminfo_object
Name
talk-server
Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed lowCCE-27432-4

Uninstall talk Package

Rule IDxccdf_org.ssgproject.content_rule_package_talk_removed
Result
pass
Time2018-04-30T11:15:54
Severitylow
Identifiers and References

Identifiers:  CCE-27432-4

References:  2.3.3

Description

The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command: 

$ sudo yum erase talk

Rationale

The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program.

OVAL details

package talk is removed  passed because these items were not found:

Object oval:ssg-obj_package_talk_removed:obj:1 of type rpminfo_object
Name
talk
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80258-7

Disable KDump Kernel Crash Analyzer (kdump)

Rule IDxccdf_org.ssgproject.content_rule_service_kdump_disabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80258-7

References:  RHEL-07-021300, SV-86681r1_rule, AC-17(8), CM-7, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227

Description

The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: 

$ sudo systemctl disable kdump.service

Rationale

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the kdump service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_kdump:obj:1 of type systemdunitproperty_object
UnitProperty
kdump\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_kdump:ste:1 of type systemdunitproperty_state
Value
inactive
Verify User Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_owner_cron_allow mediumCCE-80378-3

Verify User Who Owns /etc/cron.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_allow
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80378-3

References:  RHEL-07-021110, SV-86677r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command: 

$ sudo chown root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing user ownership of /etc/cron.allow  passed because these items were not found:

Object oval:ssg-object_file_etc_cron_allow:obj:1 of type file_object
Filepath
/etc/cron.allow
State oval:ssg-state_etc_cron_allow_uid_root:ste:1 of type file_state
User id
0
Verify Group Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_groupowner_cron_allow mediumCCE-80379-1

Verify Group Who Owns /etc/cron.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80379-1

References:  RHEL-07-021120, SV-86679r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command: 

$ sudo chgrp root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing group ownership /etc/cron.allow  passed because these items were not found:

Object oval:ssg-object_groupowner_cron_allow_file:obj:1 of type file_object
Filepath
/etc/cron.allow
State oval:ssg-state_groupowner_cron_allow_file:ste:1 of type file_state
Group id
0
Enable cron Servicexccdf_org.ssgproject.content_rule_service_crond_enabled mediumCCE-27323-5

Enable cron Service

Rule IDxccdf_org.ssgproject.content_rule_service_crond_enabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27323-5

References:  CM-7, 5.1.1

Description

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: 

$ sudo systemctl enable crond.service

Rationale

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

OVAL details

Test that the crond service is running  passed because of these items:

UnitPropertyValue
crond.serviceActiveStateactive

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path
Enable SSH Server firewalld Firewall exceptionxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled lowCCE-80361-9

Enable SSH Server firewalld Firewall exception

Rule IDxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Result
fail
Time2018-04-30T11:15:54
Severitylow
Identifiers and References

Identifiers:  CCE-80361-9

References:  3.1.12

Description

By default, inbound connections to SSH's port are allowed. If the SSH server is being used but denied by the firewall, this exception should be added to the firewall configuration.

To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh

Rationale

If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port.

OVAL details

ssh service is enabled in services  failed because these items were missing:

Object oval:ssg-object_firewalld_service_sshd_enabled:obj:1 of type xmlfilecontent_object
PathFilenameXpath
/etc/firewalld/services^.*\.xml$/service/service[@name='ssh']

ssh port is enabled in services  failed because these items were missing:

Object oval:ssg-object_firewalld_service_sshd_port_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/firewalld/services^.*\.xml$<port.*port="(\d+)"1
State oval:ssg-state_sshd_listening_port:ste:1 of type textfilecontent54_state
Subexpression
22

ssh service is enabled in zones  failed because of these items:

FilepathPathFilenameXpath
/etc/firewalld/zones/public.xml/etc/firewalld/zonespublic.xml/zone/service[@name='ssh']

ssh service is enabled in zones  failed because these items were missing:

Object oval:ssg-object_zones_with_nics:obj:1 of type xmlfilecontent_object
PathFilenameXpath
Referenced variable has no values (oval:ssg-var_firewalld_zones_with_assigned_nics:var:1)./etc/firewalld/zones/zone/service[@name='ssh']

ssh port is enabled in zones  failed because these items were missing:

Object oval:ssg-object_firewalld_zone_sshd_port_enabled:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/firewalld/zones^.*\.xml$<port.*port="(\d+)"1
State oval:ssg-state_sshd_listening_port:ste:1 of type textfilecontent54_state
Subexpression
22
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:configure

- name: Ensure firewalld is installed
  package:
    name="{{item}}"
    state=present
  with_items:
    - firewalld
  tags:
    - firewalld_sshd_port_enabled
    - low_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - CCE-80361-9
    - NIST-800-171-3.1.12

- name: XCCDF Value sshd_listening_port # promote to variable
  set_fact:
    sshd_listening_port: 22
  tags:
    - always

- name: Enable SSHD in firewalld (custom port)
  firewalld:
    port: "{{ sshd_listening_port }}/tcp"
    permanent: yes
    state: enabled
  when: sshd_listening_port != 22
  tags:
    - firewalld_sshd_port_enabled
    - low_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - CCE-80361-9
    - NIST-800-171-3.1.12

- name: Enable SSHD in firewalld (default port)
  firewalld:
    service: ssh
    permanent: yes
    state: enabled
  when: sshd_listening_port == 22
  tags:
    - firewalld_sshd_port_enabled
    - low_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - CCE-80361-9
    - NIST-800-171-3.1.12
Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-27320-1

Allow Only SSH Protocol 2

Rule IDxccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-27320-1

References:  RHEL-07-040390, SV-86875r2_rule, AC-17(8).1(ii), IA-5(1)(c), CCI-000197, CCI-000366, 5.2.2, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.13, 3.5.4

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 

Protocol 2

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Warnings
warning  As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line 
Protocol 2
in /etc/ssh/sshd_config is not necessary.
OVAL details

sshd uses protocol 2  passed because these items were not found:

Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$1
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80220-7

Disable GSSAPI Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80220-7

References:  RHEL-07-040430, SV-86883r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file: 

GSSAPIAuthentication no

Rationale

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

OVAL details

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configGSSAPIAuthentication no
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80221-5

Disable Kerberos Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80221-5

References:  RHEL-07-040440, SV-86885r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file: 

KerberosAuthentication no

Rationale

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

OVAL details

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configKerberosAuthentication no # Per CCE-CCE-80222-3: Set StrictModes yes in /etc/ssh/sshd_config
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80222-3

Enable Use of Strict Mode Checking

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80222-3

References:  RHEL-07-040450, SV-86887r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 

StrictModes yes

Rationale

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

OVAL details

tests the value of StrictModes setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configStrictModes yes # Per CCE-CCE-80223-1: Set UsePrivilegeSeparation sandbox in /etc/ssh/sshd_config
Enable Use of Privilege Separationxccdf_org.ssgproject.content_rule_sshd_use_priv_separation mediumCCE-80223-1

Enable Use of Privilege Separation

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_priv_separation
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80223-1

References:  RHEL-07-040460, SV-86889r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 

UsePrivilegeSeparation sandbox

Rationale

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.

OVAL details

tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configUsePrivilegeSeparation sandbox # Per CCE-CCE-80224-9: Set Compression no in /etc/ssh/sshd_config
Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-80224-9

Disable Compression Or Set Compression to delayed

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_compression
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80224-9

References:  RHEL-07-040470, SV-86891r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: 

Compression no
or 
Compression delayed

Rationale

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges.

OVAL details

tests the value of Compression setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configCompression no # Per CCE-CCE-27433-2: Set ClientAliveInterval 600 in /etc/ssh/sshd_config
Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout lowCCE-27433-2

Set SSH Idle Timeout Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
pass
Time2018-04-30T11:15:54
Severitylow
Identifiers and References

Identifiers:  CCE-27433-2

References:  RHEL-07-040320, SV-86861r2_rule, AC-2(5), SA-8(i), AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, Req-8.1.8, 5.2.12, 5.5.6, 3.1.11

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 

ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

OVAL details

timeout is configured  passed because of these items:

PathContent
/etc/ssh/sshd_configClientAliveInterval 600 # Per CCE-CCE-27082-7: Set ClientAliveCountMax 0 in /etc/ssh/sshd_config
Set SSH Client Alive Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-27082-7

Set SSH Client Alive Count

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27082-7

References:  RHEL-07-040340, SV-86865r2_rule, AC-2(5), SA-8, AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 5.2.12, 5.5.6, 3.1.11

Description

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows: 

ClientAliveCountMax 0

Rationale

This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached.

OVAL details

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configClientAliveCountMax 0 # Per CCE-CCE-80372-6: Set IgnoreUserKnownHosts yes in /etc/ssh/sshd_config
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-27377-1

Disable SSH Support for .rhosts Files

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27377-1

References:  RHEL-07-040350, SV-86867r2_rule, AC-3, CM-6(a), CCI-000366, 5.2.6, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.12

Description

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 

IgnoreRhosts yes

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file  passed because these items were not found:

Object oval:ssg-obj_sshd_rsh_emulation_disabled:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-80372-6

Disable SSH Support for User Known Hosts

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80372-6

References:  RHEL-07-040380, SV-86873r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 

IgnoreUserKnownHosts yes

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

Tests the value of the IgnoreUserKnownHosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configIgnoreUserKnownHosts yes
Disable SSH Support for Rhosts RSA Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa mediumCCE-80373-4

Disable SSH Support for Rhosts RSA Authentication

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80373-4

References:  RHEL-07-040330, SV-86863r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 

RhostsRSAAuthentication no

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.

Warnings
warning  As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line 
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not necessary.
OVAL details

Tests the value of the RhostsRSAAuthentication[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file  passed because these items were not found:

Object oval:ssg-obj_sshd_disable_rhosts_rsa:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-27413-4

Disable Host-Based Authentication

Rule IDxccdf_org.ssgproject.content_rule_disable_host_auth
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27413-4

References:  RHEL-07-010470, SV-86583r2_rule, AC-3, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.7, 5.5.6, 3.1.12

Description

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: 

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

sshd HostbasedAuthentication  passed because these items were not found:

Object oval:ssg-object_sshd_hostbasedauthentication:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$1
Enable Encrypted X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding highCCE-80226-4

Enable Encrypted X11 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-80226-4

References:  RHEL-07-040710, SV-86927r2_rule, CM-2(1)(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 5.2.4

Description

By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: 

X11Forwarding yes

Rationale

Open X displays allow an attacker to capture keystrokes and to execute commands remotely.

OVAL details

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configX11Forwarding yes #X11DisplayOffset 10
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-27471-2

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
pass
Time2018-04-30T11:15:54
Severityhigh
Identifiers and References

Identifiers:  CCE-27471-2

References:  RHEL-07-010300, SV-86563r2_rule, AC-3, AC-6, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.5.6, 3.1.1, 3.1.5, 5.2.9

Description

To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configPermitEmptyPasswords no # Per CCE-CCE-27314-4: Set Banner /etc/issue in /etc/ssh/sshd_config
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-27314-4

Enable SSH Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27314-4

References:  RHEL-07-040170, SV-86849r2_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, 5.2.16, 5.5.6, 3.1.9

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 

Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

OVAL details

Tests the value of the Banner[\s]+/etc/issue setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configBanner /etc/issue # Per CCE-CCE-27363-1: Set PermitUserEnvironment no in /etc/ssh/sshd_config
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-27363-1

Do Not Allow SSH Environment Options

Rule IDxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27363-1

References:  RHEL-07-010460, SV-86581r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.10, 5.5.6, 3.1.12

Description

To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: 

PermitUserEnvironment no

Rationale

SSH environment options potentially allow users to bypass access restriction in some configurations.

OVAL details

Check value of PermitUserEnvironment in /etc/ssh/sshd_config  passed because of these items:

PathContent
/etc/ssh/sshd_configPermitUserEnvironment no # Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Use Only FIPS 140-2 Validated Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers mediumCCE-27295-5

Use Only FIPS 140-2 Validated Ciphers

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27295-5

References:  RHEL-07-040110, SV-86845r2_rule, AC-3, AC-17(2), AU-10(5), CM-6(b), IA-5(1)(c), IA-7, CCI-000068, CCI-000366, CCI-000803, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, 5.2.10, 5.5.6, 3.1.13, 3.13.11, 3.13.8

Description

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers: 

Ciphers aes128-ctr,aes192-ctr,aes256-ctr


The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Rationale

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.

OVAL details

tests the value of Ciphers setting in the /etc/ssh/sshd_config file  passed because of these items:

PathContent
/etc/ssh/sshd_configCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc # Per CCE-CCE-27455-5: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com in /etc/ssh/sshd_config
Use Only FIPS 140-2 Validated MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs mediumCCE-27455-5

Use Only FIPS 140-2 Validated MACs

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_macs
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27455-5

References:  RHEL-07-040400, SV-86877r2_rule, AC-17(2), IA-7, SC-13, CCI-001453, SRG-OS-000250-GPOS-00093, 3.1.13, 3.13.11, 3.13.8, 5.2.12

Description

Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: 

MACs hmac-sha2-512,hmac-sha2-256


Only the following message authentication codes are FIPS 140-2 certified on RHEL 7:
- hmac-sha1
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com

Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Rationale

DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.

OVAL details

tests the value of MACs setting in the /etc/ssh/sshd_config file  passed because of these items:

Var refValueValueValueValueValueValue
oval:ssg-var_sshd_config_macs:var:1hmac-sha2-512hmac-sha2-256hmac-sha1hmac-sha1-etm@openssh.comhmac-sha2-256-etm@openssh.comhmac-sha2-512-etm@openssh.com
Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-80216-5

Enable the OpenSSH Service

Rule IDxccdf_org.ssgproject.content_rule_service_sshd_enabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80216-5

References:  RHEL-07-040310, SV-86859r2_rule, SC-8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190, 3.1.13, 3.5.4, 3.13.8

Description

The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: 

$ sudo systemctl enable sshd.service

Rationale

Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

OVAL details

Test that the sshd service is running  passed because of these items:

UnitPropertyValue
sshd.serviceActiveStateactive
sshd.socketActiveStateinactive

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-27311-0

Verify Permissions on SSH Server Public *.pub Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27311-0

References:  RHEL-07-040410, SV-86879r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 3.13.10

Description

To properly set the permissions of /etc/ssh/*.pub, run the command: 

$ sudo chmod 0644 /etc/ssh/*.pub

Rationale

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

OVAL details

Testing file permissions  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/ssh/ssh_host_rsa_key.pubregular00382rw-r--r-- 
/etc/ssh/ssh_host_ed25519_key.pubregular0082rw-r--r-- 
/etc/ssh/ssh_host_ecdsa_key.pubregular00162rw-r--r-- 
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-27485-2

Verify Permissions on SSH Server Private *_key Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27485-2

References:  RHEL-07-040420, SV-86881r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 3.13.10

Description

To properly set the permissions of /etc/ssh/*_key, run the command: 

$ sudo chmod 0640 /etc/ssh/*_key

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

OVAL details

Testing file permissions  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/ssh/ssh_host_ecdsa_keyregular0997227rw-r----- 
/etc/ssh/ssh_host_rsa_keyregular09971675rw-r----- 
/etc/ssh/ssh_host_ed25519_keyregular0997387rw-r----- 
Configure SSSD's Memory Cache to Expirexccdf_org.ssgproject.content_rule_sssd_memcache_timeout mediumCCE-80364-3

Configure SSSD's Memory Cache to Expire

Rule IDxccdf_org.ssgproject.content_rule_sssd_memcache_timeout
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80364-3

References:  IA-5(13), CCI-002007, SRG-OS-000383-GPOS-00166

Description

SSSD's memory cache should be configured to set to expire records after 1 day. To configure SSSD to expire memory cache, set memcache_timeout to 86400 under the [nss] section in /etc/sssd/sssd.conf. For example: 

[nss]
memcache_timeout = 86400

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

OVAL details

tests the value of memcache_timeoutsetting in the /etc/sssd/sssd.conf file  passed because these items were not found:

Object oval:ssg-obj_sssd_memcache_timeout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^\[nss]([^\n]*\n+)+?memcache_timeout[\s]+=[\s]+86400$1
Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration mediumCCE-80365-0

Configure SSSD to Expire Offline Credentials

Rule IDxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80365-0

References:  IA-5(13), CCI-002007, SRG-OS-000383-GPOS-00166

Description

SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: 

[pam]
offline_credentials_expiration = 1

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

OVAL details

tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file  passed because these items were not found:

Object oval:ssg-obj_sssd_offline_cred_expiration:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^\[pam]([^\n]*\n+)+?offline_credentials_expiration[\s]+=[\s]+1$1
Configure SSSD to Expire SSH Known Hostsxccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout mediumCCE-80366-8

Configure SSSD to Expire SSH Known Hosts

Rule IDxccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80366-8

References:  IA-5(13), CCI-002007, SRG-OS-000383-GPOS-00166

Description

SSSD should be configured to expire keys from known SSH hosts after 1 day. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to 86400 under the [ssh] section in /etc/sssd/sssd.conf. For example: 

[ssh]
ssh_known_hosts_timeout = 86400

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

OVAL details

tests the value of ssh_known_hosts_timeout setting in the /etc/sssd/sssd.conf file  passed because these items were not found:

Object oval:ssg-obj_sssd_ssh_known_hosts_timeout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sssd/sssd.conf^\[ssh]([^\n]*\n+)+?ssh_known_hosts_timeout[\s]+=[\s]+86400$1
Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled mediumCCE-27444-9

Enable the NTP Daemon

Rule IDxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27444-9

References:  AU-8(1), CCI-000160, Req-10.4, 2.2.1.1, 3.3.7

Description

The chronyd service can be enabled with the following command: 

$ sudo systemctl enable chronyd.service
Note: The chronyd daemon is enabled by default.

The ntpd service can be enabled with the following command: 
$ sudo systemctl enable ntpd.service
Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for guidance which NTP daemon to choose depending on the environment used.

Rationale

Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate

Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server mediumCCE-27278-1

Specify a Remote NTP Server

Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27278-1

References:  AU-8(1), CCI-000160, Req-10.4.1, Req-10.4.3, 3.6, 3.3.7

Description

Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:

  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: 
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Rationale

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Specify Additional Remote NTP Serversxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers lowCCE-27012-4

Specify Additional Remote NTP Servers

Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers
Result
pass
Time2018-04-30T11:15:54
Severitylow
Identifiers and References

Identifiers:  CCE-27012-4

References:  AU-8(1), Req-10.4.3

Description

Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:

  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: 
server ntpserver

Rationale

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Configure LDAP Client to Use TLS For All Transactionsxccdf_org.ssgproject.content_rule_ldap_client_start_tls mediumCCE-80291-8

Configure LDAP Client to Use TLS For All Transactions

Rule IDxccdf_org.ssgproject.content_rule_ldap_client_start_tls
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80291-8

References:  RHEL-07-040180, SV-86851r2_rule, AC-17(2), CM-7, CCI-001453, SRG-OS-000250-GPOS-00093

Description

This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command: 

$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: 
$ sudo grep -i ssl /etc/pam_ldap.conf

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

OVAL details

Tests the value of the ssl start_tls setting in the /etc/nslcd.conf file  passed because of these items:

PathContent
/etc/nslcd.confssl start_tls
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems mediumCCE-80239-7

Mount Remote Filesystems with nodev

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80239-7

References:  CM-7, MP-2

Description

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

OVAL details

no nfs  passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_nodev:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$0

all nfs has nodev  passed because these items were not found:

Object oval:ssg-object_nfs_nodev_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$0
State oval:ssg-state_remote_filesystem_nodev:ste:1 of type textfilecontent54_state
Subexpression
^.*nodev.*$
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-80240-5

Mount Remote Filesystems with nosuid

Rule IDxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-80240-5

References:  RHEL-07-021020, SV-86669r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

OVAL details

no nfs  passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$0

all nfs has nosuid  passed because these items were not found:

Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$0
State oval:ssg-state_remote_filesystem_nosuid:ste:1 of type textfilecontent54_state
Subexpression
^.*nosuid.*$
Mount Remote Filesystems with Kerberos Securityxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems mediumCCE-27458-9

Mount Remote Filesystems with Kerberos Security

Rule IDxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27458-9

References:  RHEL-07-040750, SV-86935r3_rule, AC-14(1), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

OVAL details

no nfs  passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_krb_sec:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$0

all nfs has krb_sec  passed because these items were not found:

Object oval:ssg-object_nfs_krb_sec_etc_fstab:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$0
State oval:ssg-state_remote_filesystem_krb_sec:ste:1 of type textfilecontent54_state
Subexpression
^.*sec=krb5:krb5i:krb5p.*$
Use Kerberos Security on All Exportsxccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports mediumCCE-27464-7

Use Kerberos Security on All Exports

Rule IDxccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27464-7

References:  AC-14(1), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

OVAL details

Tests the value of the Kerberos Settings in /etc/exports  passed because these items were not found:

Object oval:ssg-obj_use_kerberos_security_all_exports:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/exports^\/.*\((\S+)\)$0
State oval:ssg-state_use_kerberos_security_all_exports:ste:1 of type textfilecontent54_state
Subexpression
^.*,sec=krb5\:krb5i\:krb5p.*$

Tests if a share is configured in /etc/exports  passed because these items were not found:

Object oval:ssg-obj_non_empty_exports_file:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/exports^\/.*$0
Disable Quagga Servicexccdf_org.ssgproject.content_rule_service_zebra_disabled mediumCCE-27191-6

Disable Quagga Service

Rule IDxccdf_org.ssgproject.content_rule_service_zebra_disabled
Result
pass
Time2018-04-30T11:15:54
Severitymedium
Identifiers and References

Identifiers:  CCE-27191-6

References:  RHEL-07-040730, SV-86931r2_rule, SC-32, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The zebra service can be disabled with the following command: 

$ sudo systemctl disable zebra.service

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network.

OVAL details

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetsysinit.targetsystemd-binfmt.servicesystemd-random-seed.servicerhel-loadmodules.servicerhel-import-state.servicesystemd-update-utmp.servicedev-mqueue.mountsystemd-firstboot.servicelocal-fs.targetboot.mounttmp.mountvar-log-audit.mountvar-log.mountvar-tmp.mounthome.mount-.mountvar.mountrhel-readonly.servicesystemd-remount-fs.serviceplymouth-read-write.servicesystemd-tmpfiles-setup-dev.servicesystemd-journald.servicesystemd-vconsole-setup.servicesystemd-journal-flush.servicelvm2-monitor.serviceswap.targetdev-mapper-rhel\x2dswap.swapsystemd-hwdb-update.servicesystemd-modules-load.servicesys-kernel-debug.mountkmod-static-nodes.servicesystemd-update-done.servicecryptsetup.targetrhel-autorelabel.servicelvm2-lvmetad.socketsystemd-ask-password-console.pathsys-kernel-config.mountsystemd-journal-catalog-update.servicelvm2-lvmpolld.socketproc-sys-fs-binfmt_misc.automountrhel-domainname.servicedev-hugepages.mountsystemd-sysctl.servicesys-fs-fuse-connections.mountsystemd-udev-trigger.servicesystemd-machine-id-commit.serviceplymouth-start.servicesystemd-tmpfiles-setup.servicesystemd-udevd.servicepaths.targettimers.targetsystemd-tmpfiles-clean.timerslices.target-.slicesystem.slicemicrocode.servicerhel-dmesg.servicesockets.targetsystemd-shutdownd.socketdbus.socketsystemd-udevd-kernel.socketsystemd-journald.socketsystemd-initctl.socketsystemd-udevd-control.socketdm-event.socketpcscd.socketselinux-policy-migrate-local-changes@targeted.servicetuned.servicerhsmcertd.servicebrandbot.pathplymouth-quit-wait.servicechronyd.servicepostfix.serviceauditd.serviceplymouth-quit.servicesshd.serviceNetworkManager.servicersyslog.servicesystemd-logind.servicegetty.targetgetty@tty1.servicefirewalld.servicesystemd-user-sessions.serviceirqbalance.servicesystemd-readahead-collect.servicesystemd-update-utmp-runlevel.serviceremote-fs.targetsystemd-readahead-replay.servicenetwork.servicedbus.servicecrond.servicerhnsd.servicerhel-configure.servicesystemd-ask-password-wall.path

Test that the zebra service is not running  passed because these items were not found:

Object oval:ssg-obj_service_not_running_zebra:obj:1 of type systemdunitproperty_object
UnitProperty
zebra\.(service|socket)ActiveState
State oval:ssg-state_service_not_running_zebra:ste:1 of type systemdunitproperty_state
Value
inactive
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.