xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_pci-dss

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
This is a *draft* profile for PCI-DSS v3.

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost.localdomain
Benchmark URL	/tmp/tmp.4GstqN0lL6/input.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-7
Profile ID	xccdf_org.ssgproject.content_profile_pci-dss
Started at	2018-04-30T11:12:07
Finished at	2018-04-30T11:12:45
Performed by	root

CPE Platforms

cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:7::client
cpe:/o:redhat:enterprise_linux:7::computenode

Addresses

IPv4 127.0.0.1
IPv4 192.168.122.162
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:5054:ff:fe40:5f9e
MAC 00:00:00:00:00:00
MAC 52:54:00:40:5F:9E

Compliance and Scoring

The target system did not satisfy the conditions of 1 rules! Please review rule results and consider applying remediation.

Rule results

92 passed

1 failed

1 other

Severity of failed rules

0 other

0 low

1 medium

0 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	99.869797	100.000000	99.87%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 1x fail 1x notchecked
System Settings 1x fail 1x notchecked
Installing and Maintaining Software 1x notchecked
Updating Software 1x notchecked
Ensure Red Hat GPG Key Installed	high	pass
Ensure gpgcheck Enabled In Main Yum Configuration	high	pass
Ensure gpgcheck Enabled For All Yum Package Repositories	high	pass
Ensure Software Patches Installed	high	notchecked
System and Software Integrity
Software Integrity Checking
Verify Integrity with AIDE
Install AIDE	medium	pass
Build and Test AIDE Database	medium	pass
Configure Periodic Execution of AIDE	medium	pass
Verify Integrity with RPM
Verify and Correct File Permissions with RPM	high	pass
Verify File Hashes with RPM	high	pass
Endpoint Protection Software
Install Intrusion Detection Software	high	pass
Disable Prelinking	low	pass
GNOME Desktop Environment
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeout	medium	pass
Enable GNOME3 Screensaver Idle Activation	medium	pass
Enable GNOME3 Screensaver Lock After Idle Period	medium	pass
Implement Blank Screensaver	low	pass
File Permissions and Masks
Verify Permissions on Important Files and Directories
Verify Permissions on Files with Local Account Information and Credentials
Verify User Who Owns shadow File	medium	pass
Verify Group Who Owns shadow File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify User Who Owns group File	medium	pass
Verify Group Who Owns group File	medium	pass
Verify Permissions on group File	medium	pass
Verify User Who Owns passwd File	medium	pass
Verify Group Who Owns passwd File	medium	pass
Verify Permissions on passwd File	medium	pass
Account and Access Control
Protect Accounts by Restricting Password-Based Login
Verify Proper Storage and Existence of Password Hashes
Prevent Log In to Accounts With Empty Password	high	pass
Verify All Account Password Hashes are Shadowed	medium	pass
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Set Password Expiration Parameters
Set Password Maximum Age	medium	pass
Set Account Expiration Parameters
Set Account Expiration Following Inactivity	medium	pass
Ensure All Accounts on the System Have Unique Names	low	pass
Protect Accounts by Configuring PAM
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Set Password Strength Minimum Digit Characters	medium	pass
Set Password Minimum Length	medium	pass
Set Password Strength Minimum Uppercase Characters	medium	pass
Set Password Strength Minimum Lowercase Characters	medium	pass
Set Lockouts for Failed Password Attempts
Set Deny For Failed Password Attempts	medium	pass
Set Lockout Time For Failed Password Attempts	medium	pass
Limit Password Reuse	medium	pass
Set Password Hashing Algorithm
Set PAM's Password Hashing Algorithm	medium	pass
Set Password Hashing Algorithm in /etc/login.defs	medium	pass
Set Password Hashing Algorithm in /etc/libuser.conf	medium	pass
Set Last Logon/Access Notification	low	pass
Protect Physical Console Access
Set Boot Loader Password
Verify /boot/grub2/grub.cfg User Ownership	medium	pass
Verify /boot/grub2/grub.cfg Group Ownership	medium	pass
Configure Screen Locking
Hardware Tokens for Authentication
Enable Smart Card Login	medium	pass
Network Configuration and Firewalls
IPSec Support
Install libreswan Package	medium	pass
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure Log Files Are Owned By Appropriate User	medium	pass
Ensure Log Files Are Owned By Appropriate Group	medium	pass
Ensure System Log Files Have Correct Permissions	medium	pass
Ensure All Logs are Rotated by logrotate
Ensure Logrotate Runs Periodically	low	pass
System Accounting with auditd 1x fail
Configure auditd Data Retention
Configure auditd Number of Logs Retained	medium	pass
Configure auditd Max Log File Size	medium	pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Size	medium	pass
Configure auditd space_left Action on Low Disk Space	medium	pass
Configure auditd admin_space_left Action on Low Disk Space	medium	pass
Configure auditd mail_acct Action on Low Disk Space	medium	pass
Configure auditd to use audispd's syslog plugin	medium	pass
Configure auditd Rules for Comprehensive Auditing 1x fail
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimex	low	pass
Record attempts to alter time through settimeofday	low	pass
Record Attempts to Alter Time Through stime	low	pass
Record Attempts to Alter Time Through clock_settime	low	pass
Record Attempts to Alter the localtime File	low	pass
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmod	low	pass
Record Events that Modify the System's Discretionary Access Controls - chown	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchmod	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchmodat	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchown	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchownat	low	pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattr	low	pass
Record Events that Modify the System's Discretionary Access Controls - lchown	low	pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattr	low	pass
Record Events that Modify the System's Discretionary Access Controls - removexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - setxattr	low	pass
Record Attempts to Alter Logon and Logout Events 1x fail
Record Attempts to Alter Logon and Logout Events	medium	fail
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)	medium	pass
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands	medium	pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User	medium	pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Loading and Unloading	medium	pass
Record Events that Modify User/Group Information	low	pass
Record Events that Modify the System's Network Environment	low	pass
System Audit Logs Must Have Mode 0640 or Less Permissive	medium	pass
System Audit Logs Must Be Owned By Root	medium	pass
Record Events that Modify the System's Mandatory Access Controls	low	pass
Record Attempts to Alter Process and Session Initiation Information	low	pass
Ensure auditd Collects Information on Exporting to Media (successful)	medium	pass
Ensure auditd Collects System Administrator Actions	low	pass
Make the auditd Configuration Immutable	medium	pass
Enable auditd Service	high	pass
Enable Auditing for Processes Which Start Prior to the Audit Daemon	medium	pass
Services
SSH Server
Configure OpenSSH Server if Necessary
Set SSH Idle Timeout Interval	low	pass
Network Time Protocol
Enable the NTP Daemon	medium	pass
Specify a Remote NTP Server	medium	pass
Specify Additional Remote NTP Servers	low	pass

Result Details

Ensure Red Hat GPG Key Installed

Rule ID xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed

Result

pass

Time 2018-04-30T11:12:08

Severity high

Identifiers and References

Identifiers: CCE-26957-1

References: CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 1.2.3, 5.10.4.1, 3.4.8

Description

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo subscription-manager register

If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:

$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

Rationale

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL details

Red Hat release key package is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	45700c69	2fa658e0	0:2fa658e0-45700c69	0	gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Red Hat auxiliary key package is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	45700c69	2fa658e0	0:2fa658e0-45700c69	0	gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

CentOS7 key package is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	45700c69	2fa658e0	0:2fa658e0-45700c69	0	gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

CentOS6 key package is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	45700c69	2fa658e0	0:2fa658e0-45700c69	0	gpg-pubkey-0:2fa658e0-45700c69.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Ensure gpgcheck Enabled In Main Yum Configuration

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated

Result

pass

Time 2018-04-30T11:12:08

Severity high

Identifiers and References

Identifiers: CCE-26989-4

References: RHEL-07-020050, SV-86601r1_rule, CM-5(3), SI-7, MA-1(b), CCI-001749, SRG-OS-000366-GPOS-00153, Req-6.2, 1.2.2, 5.10.4.1, 3.4.8

Description

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Rationale

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL details

check value of gpgcheck in /etc/dnf/dnf.conf passed because these items were not found:

Object oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/dnf.conf	^\sgpgcheck\s=\s1\s$	1

check value of gpgcheck in /etc/yum.conf passed because of these items:

Path	Content
/etc/yum.conf	gpgcheck=1

Ensure gpgcheck Enabled For All Yum Package Repositories

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled

Result

pass

Time 2018-04-30T11:12:08

Severity high

Identifiers and References

Identifiers: CCE-26876-3

References: CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 5.10.4.1, 3.4.8

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files passed because these items were not found:

Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/yum.repos.d	.*	^\sgpgcheck\s=\s0\s$	1

Ensure Software Patches Installed

Rule ID	xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result	notchecked
Time	2018-04-30T11:12:08
Severity	high
Identifiers and References	Identifiers: CCE-26895-3 References: RHEL-07-020260, SV-86623r3_rule, SI-2, SI-2(c), MA-1(b), CCI-000366, Req-6.2, 1.8, SRG-OS-000480-GPOS-00227, 5.10.4.1
Description	If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using `rpm`. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Evaluation messages info None of the check-content-ref elements was resolvable.

Install AIDE

Rule ID

xccdf_org.ssgproject.content_rule_package_aide_installed

Result

pass

Time

2018-04-30T11:12:08

Severity

medium

Identifiers and References

Identifiers: CCE-27096-7

References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 1.3.1, 5.10.1.3

Description

Install the AIDE package with the command:

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

OVAL details

package aide is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	13.el7	0.15.1	0:0.15.1-13.el7	199e2f91fd431d51	aide-0:0.15.1-13.el7.x86_64

Build and Test AIDE Database

Rule ID xccdf_org.ssgproject.content_rule_aide_build_database

Result

pass

Time 2018-04-30T11:12:08

Severity medium

Identifiers and References

Identifiers: CCE-27220-3

References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3

Description

Run the following command to generate a new database:

$ sudo /usr/sbin/aide --init

By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

To initiate a manual check, run the following command:

$ sudo /usr/sbin/aide --check

If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

OVAL details

Testing existence of new aide database file passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/var/lib/aide/aide.db.new.gz	regular	0	0	1569163	`rw-------`

Testing existence of operational aide database file passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/var/lib/aide/aide.db.gz	regular	0	0	1569163	`rw-------`

Configure Periodic Execution of AIDE

Rule ID xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Result

pass

Time 2018-04-30T11:12:08

Severity medium

Identifiers and References

Identifiers: CCE-26952-2

References: RHEL-07-020030, SV-86597r1_rule, CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, CCI-001744, Req-11.5, 1.3.2, SRG-OS-000363-GPOS-00150, 5.10.1.3

Description

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

run aide daily with cron passed because of these items:

Path	Content
/etc/crontab	05 4 * * * root /usr/sbin/aide --check

run aide daily with cron passed because these items were not found:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.d	^.*$	^[0-9][\s][0-9][\s]\[\s]\[\s]\[\s]root[\s]/usr/sbin/aide[\s]\-\-check.*$	1

run aide daily with cron passed because these items were not found:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^[0-9][\s][0-9][\s]\[\s]\[\s]\[\s](root\|)/usr/sbin/aide[\s]\-\-check.$	1

run aide daily with cron.(daily|weekly|monthly) passed because these items were not found:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.(daily\|weekly\|monthly)	^.*$	^\s/usr/sbin/aide[\s]\-\-check.*$	1

Verify and Correct File Permissions with RPM

Rule ID xccdf_org.ssgproject.content_rule_rpm_verify_permissions

Result

pass

Time 2018-04-30T11:12:11

Severity high

Identifiers and References

Identifiers: CCE-27209-6

References: RHEL-07-010010, SV-86473r2_rule, AC-6, AU-9(1), AU-9(3), CM-6(d), CM-6(3), CCI-001494, CCI-001496, Req-11.5, 1.2.6, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.3, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 5.10.4.1, 3.3.8, 3.4.1

Description

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:

$ sudo rpm -Va | grep '^.M'

Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:

$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:

$ sudo rpm --setperms PACKAGENAME

Rationale

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Warnings

warning Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1275532.

OVAL details

mode of all files matches local rpm database passed because these items were not found:

Object oval:ssg-object_files_fail_mode:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	.*	oval:ssg-state_files_fail_mode:ste:1

Verify File Hashes with RPM

Rule ID

xccdf_org.ssgproject.content_rule_rpm_verify_hashes

Result

pass

Time

2018-04-30T11:12:30

Severity

high

Identifiers and References

Identifiers: CCE-27157-7

References: RHEL-07-010020, SV-86479r2_rule, CM-6(d), CM-6(3), SI-7(1), CCI-000663, Req-11.5, 1.2.6, SRG-OS-000480-GPOS-00227, 5.10.4.1, 3.3.8, 3.4.1

Description

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'

A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:

$ rpm -qf FILENAME

The package can be reinstalled from a yum repository using the command:

$ sudo yum reinstall PACKAGENAME

Alternatively, the package can be reinstalled from trusted media using the command:

$ sudo rpm -Uvh PACKAGENAME

Rationale

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

OVAL details

verify file md5 hashes passed because these items were not found:

Object oval:ssg-object_files_fail_md5_hash:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	^/(bin\|sbin\|lib\|lib64\|usr)/.+$	oval:ssg-state_files_fail_md5_hash:ste:1

Install Intrusion Detection Software

Rule ID

xccdf_org.ssgproject.content_rule_install_hids

Result

pass

Time

2018-04-30T11:12:30

Severity

high

Identifiers and References

Identifiers: CCE-26818-5

References: SC-7, CCI-001263, Req-11.4

Description

The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.

Rationale

Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.

Warnings

warning Note in DoD environments, supplemental intrusion detection tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence.

OVAL details

/selinux/enforce is 1 passed because of these items:

Path	Content
/etc/selinux/config	SELINUX=enforcing

Disable Prelinking

Rule ID xccdf_org.ssgproject.content_rule_disable_prelink

Result

pass

Time 2018-04-30T11:12:08

Severity low

Identifiers and References

Identifiers: CCE-27078-5

References: CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3, 1.5.4, 3.13.11

Description

The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink:

PRELINKING=no

Next, run the following command to return binaries to a normal, non-prelinked state:

$ sudo /usr/sbin/prelink -ua

Rationale

Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc.

OVAL details

Tests whether prelinking is disabled passed because these items were not found:

Object oval:ssg-object_prelinking_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/prelink	^[\s]PRELINKING=no[\s]	1

Set GNOME3 Screensaver Inactivity Timeout

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-80110-0

References: RHEL-07-010070, SV-86517r2_rule, AC-11(a), CCI-000057, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10

Description

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:

[org/gnome/desktop/session]
idle-delay='uint32 900'

Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/session/idle-delay

After the settings have been set, run dconf update.

Rationale

OVAL details

screensaver idle delay is configured passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/session]([^\n]\n+)+?idle-delay=uint32[\s][0-9]$	1

user cannot change screensaver idle delay passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/session/idle-delay$	1

screensaver idle delay setting is correct passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^idle-delay[\s=]uint32[\s]([^=\s])	1

State oval:ssg-state_screensaver_idle_delay_setting:ste:1 of type textfilecontent54_state

Subexpression
900

Enable GNOME3 Screensaver Idle Activation

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-80111-8

References: RHEL-07-010100, SV-86523r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10

Description

To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
idle_activation_enabled=true

Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/idle-activation-enabled

After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

OVAL details

idle delay is configured passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_activation_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$	1

user cannot change idle_activation_enabled passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/idle-activation-enabled$	1

Enable GNOME3 Screensaver Lock After Idle Period

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-80112-6

References: RHEL-07-010060, SV-86515r2_rule, AC-11(b), CCI-000056, Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011, 5.5.5, 3.1.10

Description

To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-enabled=true

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-enabled

After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

OVAL details

screensaver lock is enabled passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$	1

screensaver lock cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/lock-enabled$	1

Implement Blank Screensaver

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank

Result

pass

Time 2018-04-30T11:12:30

Severity low

Identifiers and References

Identifiers: CCE-80113-4

References: AC-11(b), CCI-000060, Req-8.1.8, 5.5.5, 3.1.10

Description

To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
picture-uri=string ''

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/picture-uri

After the settings have been set, run dconf update.

Rationale

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

OVAL details

screensaver mode is blank passed because these items were not found:

Object oval:ssg-obj_screensaver_mode_blank:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=string[\s]\'\'$	1

blank screensaver cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_screensaver_mode_change:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/picture-uri$	1

Verify User Who Owns shadow File

Rule ID xccdf_org.ssgproject.content_rule_userowner_shadow_file

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-26795-5

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.3

Description

To properly set the owner of /etc/shadow, run the command:

$ sudo chown root /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL details

Testing user ownership of /etc/shadow passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/shadow	regular	0	0	735	`---------`

Verify Group Who Owns shadow File

Rule ID xccdf_org.ssgproject.content_rule_groupowner_shadow_file

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-27125-4

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.3

Description

To properly set the group owner of /etc/shadow, run the command:

$ sudo chgrp root /etc/shadow

Rationale

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership /etc/shadow passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/shadow	regular	0	0	735	`---------`

Verify Permissions on shadow File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-27100-7

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.3

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0000 /etc/shadow

Rationale

OVAL details

/etc/shadow mode and ownership passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/shadow	regular	0	0	735	`---------`

Verify User Who Owns group File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_group

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-26933-2

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.4

Description

To properly set the owner of /etc/group, run the command:

$ sudo chown root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing user ownership passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/group	regular	0	0	488	`rw-r--r--`

Verify Group Who Owns group File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_group

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-27037-1

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.4

Description

To properly set the group owner of /etc/group, run the command:

$ sudo chgrp root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing group ownership passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/group	regular	0	0	488	`rw-r--r--`

Verify Permissions on group File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_group

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-26949-8

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.4

Description

To properly set the permissions of /etc/group, run the command:

$ sudo chmod 644 /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing /etc/group permissions passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/group	regular	0	0	488	`rw-r--r--`

Verify User Who Owns passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_owner_etc_passwd

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-27138-7

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.2

Description

To properly set the owner of /etc/passwd, run the command:

$ sudo chown root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing user ownership passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/passwd	regular	0	0	958	`rw-r--r--`

Verify Group Who Owns passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-26639-5

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.2

Description

To properly set the group owner of /etc/passwd, run the command:

$ sudo chgrp root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/passwd passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/passwd	regular	0	0	958	`rw-r--r--`

Verify Permissions on passwd File

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd

Result

pass

Time 2018-04-30T11:12:30

Severity medium

Identifiers and References

Identifiers: CCE-26887-0

References: AC-6, Req-8.7.c, 5.5.2.2, 6.1.2

Description

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd

Rationale

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL details

/etc/passwd mode and ownership passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/passwd	regular	0	0	958	`rw-r--r--`

Prevent Log In to Accounts With Empty Password

Rule ID xccdf_org.ssgproject.content_rule_no_empty_passwords

Result

pass

Time 2018-04-30T11:12:30

Severity high

Identifiers and References

Identifiers: CCE-27286-4

References: RHEL-07-010290, SV-86561r1_rule, AC-6, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000366, SRG-OS-000480-GPOS-00227, Req-8.2.3, 5.5.2, 3.1.1, 3.1.5

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

OVAL details

make sure nullok is not used in /etc/pam.d/system-auth passed because these items were not found:

Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	\snullok\s	1

Verify All Account Password Hashes are Shadowed

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27352-4

References: IA-5(h), Req-8.2.1, 5.5.2, 3.5.10

Description

If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

OVAL details

password hashes are shadowed passed because of these items:

Username	Password	User id	Group id	Gcos	Home dir	Login shell	Last login
root	x	0	0	root	/root	/bin/bash	1524951308
bin	x	1	1	bin	/bin	/sbin/nologin	0
daemon	x	2	2	daemon	/sbin	/sbin/nologin	0
adm	x	3	4	adm	/var/adm	/sbin/nologin	0
lp	x	4	7	lp	/var/spool/lpd	/sbin/nologin	0
sync	x	5	0	sync	/sbin	/bin/sync	0
shutdown	x	6	0	shutdown	/sbin	/sbin/shutdown	0
halt	x	7	0	halt	/sbin	/sbin/halt	0
mail	x	8	12	mail	/var/spool/mail	/sbin/nologin	0
operator	x	11	0	operator	/root	/sbin/nologin	0
games	x	12	100	games	/usr/games	/sbin/nologin	0
ftp	x	14	50	FTP User	/var/ftp	/sbin/nologin	0
nobody	x	99	99	Nobody	/	/sbin/nologin	0
systemd-network	x	192	192	systemd Network Management	/	/sbin/nologin	0
dbus	x	81	81	System message bus	/	/sbin/nologin	0
polkitd	x	999	998	User for polkitd	/	/sbin/nologin	0
postfix	x	89	89		/var/spool/postfix	/sbin/nologin	0
sshd	x	74	74	Privilege-separated SSH	/var/empty/sshd	/sbin/nologin	0
chrony	x	998	996		/var/lib/chrony	/sbin/nologin	0
admin	x	1000	1000	admin	/home/admin	/bin/bash	-1
unbound	x	997	995	Unbound DNS resolver	/etc/unbound	/sbin/nologin	0

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule ID

xccdf_org.ssgproject.content_rule_gid_passwd_group_same

Result

pass

Time

2018-04-30T11:12:31

Severity

low

Identifiers and References

Identifiers: CCE-27503-2

References: RHEL-07-020300, SV-86627r1_rule, IA-2, CCI-000764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2

Description

Add a group to the system for each GID referenced without a corresponding group.

Rationale

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

OVAL details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group passed because of these items:

Path	Content
/etc/passwd	root:x:0:0:
/etc/passwd	bin:x:1:1:
/etc/passwd	daemon:x:2:2:
/etc/passwd	adm:x:3:4:
/etc/passwd	lp:x:4:7:
/etc/passwd	sync:x:5:0:
/etc/passwd	shutdown:x:6:0:
/etc/passwd	halt:x:7:0:
/etc/passwd	mail:x:8:12:
/etc/passwd	operator:x:11:0:
/etc/passwd	games:x:12:100:
/etc/passwd	ftp:x:14:50:
/etc/passwd	nobody:x:99:99:
/etc/passwd	systemd-network:x:192:192:
/etc/passwd	dbus:x:81:81:
/etc/passwd	polkitd:x:999:998:
/etc/passwd	postfix:x:89:89:
/etc/passwd	sshd:x:74:74:
/etc/passwd	chrony:x:998:996:
/etc/passwd	admin:x:1000:1000:
/etc/passwd	unbound:x:997:995:

Set Password Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27051-2

References: RHEL-07-010250, SV-86553r1_rule, IA-5(f), IA-5(g), IA-5(1)(d), CCI-000199, SRG-OS-000076-GPOS-00044, Req-8.2.4, 5.4.1.1, 5.6.2.1, 3.5.6

Description

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 90

A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 90.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

OVAL details

The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_max_days_instance_value:var:1	90

Set Account Expiration Following Inactivity

Rule ID xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27355-7

References: RHEL-07-010310, SV-86565r1_rule, AC-2(2), AC-2(3), IA-4(e), CCI-000795, SRG-OS-000118-GPOS-00060, Req-8.1.4, 3.5.6, 5.6.2.1.1

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=90

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Rationale

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

OVAL details

the value INACTIVE parameter should be set appropriately in /etc/default/useradd passed because of these items:

Path	Content
/etc/default/useradd	INACTIVE=90

Ensure All Accounts on the System Have Unique Names

Rule ID

xccdf_org.ssgproject.content_rule_account_unique_name

Result

pass

Time

2018-04-30T11:12:31

Severity

low

Identifiers and References

Identifiers: CCE-80208-2

References: CCI-000770, CCI-000804, Req-8.1.1, 5.5.2

Description

Change usernames, or delete accounts, so each has a unique name.

Rationale

Unique usernames allow for accountability on the system.

OVAL details

There should not exist duplicate user name entries in /etc/passwd passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1	21

Set Password Strength Minimum Digit Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27214-6

References: RHEL-07-010140, SV-86531r2_rule, IA-5(1)(a), IA-5(b), IA-5(c), 194, CCI-000194, SRG-OS-000071-GPOS-00039, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	dcredit = -1

Set Password Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27293-0

References: RHEL-07-010280, SV-86559r1_rule, IA-5(1)(a), CCI-000205, SRG-OS-000078-GPOS-00046, Req-8.2.3, 6.3.2, 5.6.2.1.1

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=7 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	minlen = 7

Set Password Strength Minimum Uppercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27200-5

References: RHEL-07-010120, SV-86527r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000192, SRG-OS-000069-GPOS-00037, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	ucredit = -1

Set Password Strength Minimum Lowercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27345-8

References: RHEL-07-010130, SV-86529r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000193, SRG-OS-000070-GPOS-00038, Req-8.2.3

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	lcredit = -1

Set Deny For Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27350-8

References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.6, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

OVAL details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock.so is called in account phase before pam_unix passed because of these items:

Path	Content
/etc/pam.d/system-auth	account required pam_faillock.so account required pam_unix.so

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock_so is called in account phase before pam_unix. passed because of these items:

Path	Content
/etc/pam.d/password-auth	account required pam_faillock.so account required pam_unix.so

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
6Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/system-auth	1

State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state

Subexpression
6Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=6

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
6Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/password-auth	1

State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state

Subexpression
6Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=6

Set Lockout Time For Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-26884-7

References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.7, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

OVAL details

check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=6 unlock_time=1800

check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800

check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800

check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=6 unlock_time=1800

Limit Password Reuse

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-26923-3

References: RHEL-07-010270, SV-86557r1_rule, IA-5(f), IA-5(1)(e), CCI-000200, SRG-OS-000077-GPOS-00045, Req-8.2.5, 5.3.3, 5.6.2.1.1, 3.5.8

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember=4 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

for the pam_unix.so case:

password sufficient pam_unix.so ...existing_options... remember=4

for the pam_pwhistory.so case:

password requisite pam_pwhistory.so ...existing_options... remember=4

The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

OVAL details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=4

Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth passed because these items were not found:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:requisite)\|(?:required))\s+pam_pwhistory\.so.remember=([0-9]).$	1

State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state

Subexpression
4

Set PAM's Password Hashing Algorithm

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27104-9

References: RHEL-07-010200, SV-86543r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL details

check /etc/pam.d/system-auth for correct settings passed because of these items:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=4

Set Password Hashing Algorithm in /etc/login.defs

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27124-7

References: RHEL-07-010210, SV-86545r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Rationale

OVAL details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_encrypt_method_instance_value:var:1	SHA512

Set Password Hashing Algorithm in /etc/libuser.conf

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27053-8

References: RHEL-07-010220, SV-86547r2_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 5.6.2.2, 3.13.11

Description

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512

Rationale

OVAL details

The password hashing algorithm should be set correctly in /etc/libuser.conf passed because of these items:

Path	Content
/etc/libuser.conf	crypt_style = sha512

Set Last Logon/Access Notification

Rule ID xccdf_org.ssgproject.content_rule_display_login_attempts

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27275-7

References: RHEL-07-040530, SV-86899r1_rule, AC-9, CCI-000366, Req-10.2.4, SRG-OS-000480-GPOS-00227, 5.5.2

Description

To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed

Rationale

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

OVAL details

Check the pam_lastlog configuration of /etc/pam.d/postlogin passed because of these items:

Path	Content
/etc/pam.d/postlogin	session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed

Verify /boot/grub2/grub.cfg User Ownership

Rule ID xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-26860-7

References: AC-6(7), CCI-000225, Req-7.1, 1.4.1, 5.5.2.2, 3.4.5

Description

The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command:

$ sudo chown root /boot/grub2/grub.cfg

Rationale

Only root should be able to modify important boot parameters.

OVAL details

/boot/grub2/grub.cfg owned by root passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/boot/grub2/grub.cfg	regular	0	0	4179	`rw-r--r--`

Verify /boot/grub2/grub.cfg Group Ownership

Rule ID xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-26812-8

References: AC-6(7), CCI-000225, Req-7.1, 1.4.1, 5.5.2.2, 3.4.5

Description

The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command:

$ sudo chgrp root /boot/grub2/grub.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

OVAL details

/boot/grub2/grub.cfg owned by root passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/boot/grub2/grub.cfg	regular	0	0	4179	`rw-r--r--`

Enable Smart Card Login

Rule ID

xccdf_org.ssgproject.content_rule_smartcard_auth

Result

pass

Time

2018-04-30T11:12:31

Severity

medium

Identifiers and References

Identifiers: CCE-80207-4

References: RHEL-07-010500, SV-86589r1_rule, IA-2(2), CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, Req-8.3, SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058

Description

To enable smart card authentication, consult the documentation at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:

https://access.redhat.com/solutions/82273

Rationale

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

OVAL details

Test ocsp_on in /etc/pam_pkcs11/pkcs11.conf passed because of these items:

Path	Content
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;

Test smartcard authentication is enabled in /etc/pam.d/system-auth file passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

Test smartcard authentication is required in /etc/pam.d/system-auth file passed because these items were not found:

Object oval:ssg-object_smart_card_required_system_auth:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
\nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n	no value	/etc/pam.d/system-auth	1

Test smartcard authentication is required in /etc/pam.d/smartcard-auth file passed because of these items:

Path	Content
/etc/pam.d/smartcard-auth	auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password required pam_pkcs11.so

Install libreswan Package

Rule ID xccdf_org.ssgproject.content_rule_package_libreswan_installed

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-80170-4

References: AC-17, MA-4, SC-9, CCI-001130, CCI-001131, Req-4.1

Description

The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:

$ sudo yum install libreswan

Rationale

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.

OVAL details

package libreswan is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
libreswan	x86_64	(none)	3.el7	3.23	0:3.23-3.el7	199e2f91fd431d51	libreswan-0:3.23-3.el7.x86_64

Ensure Log Files Are Owned By Appropriate User

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_files_ownership

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-80189-4

References: AC-6, SI-11, CCI-001314, Req-10.5.1, Req-10.5.2

Description

The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE

If the owner is not root, run the following command to correct this:

$ sudo chown root LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL details

System log files are owned by root passed because of these items:

Path	Type	Size (B)	Permissions
/var/log/messages	regular	152659	`rw-------`
/var/log/secure	regular	5182	`rw-------`
/var/log/maillog	regular	0	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/cron	regular	9486	`rw-------`
/var/log/boot.log	regular	0	`rw-------`

Ensure Log Files Are Owned By Appropriate Group

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-80190-2

References: AC-6, SI-11, CCI-001314, Req-10.5.1, Req-10.5.2

Description

The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner:

$ ls -l LOGFILE

If the owner is not root, run the following command to correct this:

$ sudo chgrp root LOGFILE

Rationale

OVAL details

System log files are owned by root group passed because of these items:

Path	Type	Size (B)	Permissions
/var/log/messages	regular	152659	`rw-------`
/var/log/secure	regular	5182	`rw-------`
/var/log/maillog	regular	0	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/cron	regular	9486	`rw-------`
/var/log/boot.log	regular	0	`rw-------`

Ensure System Log Files Have Correct Permissions

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_files_permissions

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-80191-0

References: SI-11, CCI-001314, Req-10.5.1, Req-10.5.2, 4.2.1.3

Description

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE

If the permissions are not 600 or more restrictive, run the following command to correct this:

$ sudo chmod 0600 LOGFILE

Rationale

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

OVAL details

Permissions of system log files are 0600 passed because of these items:

Path	Type	Size (B)	Permissions
/var/log/messages	regular	152659	`rw-------`
/var/log/secure	regular	5182	`rw-------`
/var/log/maillog	regular	0	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/cron	regular	9486	`rw-------`
/var/log/boot.log	regular	0	`rw-------`

Ensure Logrotate Runs Periodically

Rule ID xccdf_org.ssgproject.content_rule_ensure_logrotate_activated

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-80195-1

References: AU-9, CCI-000366, Req-10.7

Description

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Rationale

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

OVAL details

Tests the presence of daily setting in /etc/logrotate.conf file passed because of these items:

Path	Content
/etc/logrotate.conf	# see "man logrotate" for details # rotate log files weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp and btmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } # system-specific logs may be also be configured here. daily

Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility) passed because of these items:

Path	Content
/etc/cron.daily/logrotate	/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf

Configure auditd Number of Logs Retained

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27348-2

References: AU-1(b), AU-11, IR-5, Req-10.7, 5.4.1.1, 3.3.1

Description

Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5:

num_logs = NUMLOGS

Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

Rationale

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL details

admin space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	num_logs = 5

Configure auditd Max Log File Size

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27319-3

References: AU-1(b), AU-11, IR-5, Req-10.7, 5.2.1.1, 5.4.1.1

Description

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:

max_log_file = STOREMB

Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

Rationale

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL details

max log file size passed because of these items:

Path	Content
/etc/audit/auditd.conf	max_log_file = 8

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27231-0

References: AU-1(b), AU-4, AU-11, IR-5, Req-10.7, 5.2.1.3, 5.4.1.1

Description

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:

max_log_file_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

ignore
syslog
suspend
rotate
keep_logs

Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.

Rationale

Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

OVAL details

admin space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	max_log_file_action = ROTATE

Configure auditd space_left Action on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27375-5

References: AU-1(b), AU-4, AU-5(1), AU-5(b), IR-5, CCI-001855, Req-10.7, 5.2.1.2, SRG-OS-000343-GPOS-00134, 030340, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

ignore
syslog
email
exec
suspend
single
halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Rationale

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL details

space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	space_left_action = email

Configure auditd admin_space_left Action on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27370-6

References: AU-1(b), AU-4, AU-5(b), IR-5, CCI-000140, CCI-001343, Req-10.7, 5.2.1.2, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

admin_space_left_action = ACTION

Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

Rationale

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

OVAL details

space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	admin_space_left_action = single

Configure auditd mail_acct Action on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27394-6

References: RHEL-07-030350, SV-86717r2_rule, AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, CCI-001855, Req-10.7.a, 5.2.1.2, SRG-OS-000343-GPOS-00134, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

action_mail_acct = root

Rationale

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

OVAL details

email account for actions passed because of these items:

Path	Content
/etc/audit/auditd.conf	action_mail_acct = root

Configure auditd to use audispd's syslog plugin

Rule ID xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27341-7

References: AU-1(b), AU-3(2), IR-5, CCI-000136, Req-10.5.3, 5.4.1.1, 3.3.1

Description

To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server

OVAL details

audispd syslog plugin activated passed because of these items:

Path	Content
/etc/audisp/plugins.d/syslog.conf	active = yes

Record attempts to alter time through adjtimex

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27290-6

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

OVAL details

audit augenrules 32-bit adjtimex passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit augenrules 64-bit adjtimex passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

audit auditctl 32-bit adjtimex passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 64-bit adjtimex passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

Record attempts to alter time through settimeofday

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27216-1

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

OVAL details

audit augenrules 32-bit settimeofday passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit augenrules 64-bit settimeofday passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

audit auditctl 32-bit settimeofday passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 64-bit settimeofday passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

Record Attempts to Alter Time Through stime

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_stime

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27299-7

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S stime -F key=audit_time_rules

Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:

-a always,exit -F arch=b32 -S stime -F key=audit_time_rules

Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

OVAL details

audit augenrules 32-bit stime passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

audit auditctl 32-bit stime passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules

Record Attempts to Alter Time Through clock_settime

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27219-5

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules

Rationale

OVAL details

audit augenrules 32-bit clock_settime passed because of these items:

Path	Content
/etc/audit/rules.d/time-change.rules	-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change

audit augenrules 64-bit clock_settime passed because of these items:

Path	Content
/etc/audit/rules.d/time-change.rules	-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change

audit auditctl 32-bit clock_settime passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change

audit auditctl 64-bit clock_settime passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change

Record Attempts to Alter the localtime File

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27310-2

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(b), IR-5, 5.2.4, Req-10.4.2.b, CCI-001487, CCI-000169, 5.4.1.1, 3.1.7

Description

-w /etc/localtime -p wa -k audit_time_rules

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/localtime -p wa -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Rationale

OVAL details

audit /etc/localtime watch augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/audit_time_rules.rules	-w /etc/localtime -p wa -k audit_time_rules

audit /etc/localtime watch auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/localtime -p wa -k audit_time_rules

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27339-1

References: RHEL-07-030410, SV-86729r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings

warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

OVAL details

audit augenrules 32-bit chmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit chmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - chown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27364-9

References: RHEL-07-030370, SV-86721r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit chown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit chown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27393-8

References: RHEL-07-030420, SV-86731r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27388-8

References: RHEL-07-030430, SV-86733r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchmodat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmodat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmodat passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchmodat passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27356-5

References: RHEL-07-030380, SV-86723r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27387-0

References: RHEL-07-030400, SV-86727r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchownat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchownat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchownat passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fchownat passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27353-2

References: RHEL-07-030480, SV-86743r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27389-6

References: RHEL-07-030450, SV-86737r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27083-5

References: RHEL-07-030390, SV-86725r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lchown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lchown passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27410-0

References: RHEL-07-030490, SV-86745r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27280-7

References: RHEL-07-030460, SV-86739r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27367-2

References: RHEL-07-030470, SV-86741r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit removexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit removexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit removexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit removexattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27213-8

References: RHEL-07-030440, SV-86735r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit setxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit setxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit setxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 64-bit setxattr passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Record Attempts to Alter Logon and Logout Events

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_login_events
Result	fail
Time	2018-04-30T11:12:31
Severity	medium
Identifiers and References	Identifiers: CCE-27204-7 References: AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, Req-10.2.3, 5.2.8, 5.4.1.1, 3.1.7
Description	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d` in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
Remediation Shell script: (show) # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' # Function to fix audit file system object watch rule for given path: # * if rule exists, also verifies the -w bits match the requirements # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules' # * path value of -w audit rule's argument # * required access bits value of -p audit rule's argument # * key value of -k audit rule's argument # # Example call: # # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" # function fix_audit_watch_rule { # Load function arguments into local variables local tool="$1" local path="$2" local required_access_bits="$3" local key="$4" # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" echo "Aborting." exit 1 fi # Create a list of audit .rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules \| Rule already defined \| Audit rules file to inspect \| # ----------------------------------------------------------------------------------------- # auditctl \| Doesn't matter \| /etc/audit/audit.rules \| # ----------------------------------------------------------------------------------------- # augenrules \| Yes \| /etc/audit/rules.d/.rules \| # augenrules \| No \| /etc/audit/rules.d/$key.rules \| # ----------------------------------------------------------------------------------------- declare -a files_to_inspect # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. elif [ "$tool" == 'augenrules' ] then # Case when particular audit rule is already defined in some of /etc/audit/rules.d/.rules file # Get pair -- filepath : matching_row into @matches array IFS=$'\n' matches=($(grep -P "[\s]-w[\s]+$path" /etc/audit/rules.d/.rules)) # Reset IFS back to default unset IFS # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match \| cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ ${#files_to_inspect[@]} -eq "0" ] then # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection files_to_inspect="/etc/audit/rules.d/$key.rules" # If the $key.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "[\s]-w[\s]+$path" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Escape slashes in path for use in sed pattern below local esc_path=${path//$'/'/$'\/'} # Define BRE whitespace class shortcut local sp="[[:space:]]" # Extract current permission access types (e.g. -p [r\|w\|x\|a] values) from audit rule current_access_bits=$(sed -ne "s/$sp-w$sp\+$esc_path$sp\+-p$sp\+$[rxwa]\{1,4\}$./\1/p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "$required_access_bits" \| grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s/$$sp-w$sp\+$esc_path$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.$/\1$current_access_bits\3/" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" fi done } fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" # Function to fix audit file system object watch rule for given path: # if rule exists, also verifies the -w bits match the requirements # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules' # * path value of -w audit rule's argument # * required access bits value of -p audit rule's argument # * key value of -k audit rule's argument # # Example call: # # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" # function fix_audit_watch_rule { # Load function arguments into local variables local tool="$1" local path="$2" local required_access_bits="$3" local key="$4" # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" echo "Aborting." exit 1 fi # Create a list of audit .rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules \| Rule already defined \| Audit rules file to inspect \| # ----------------------------------------------------------------------------------------- # auditctl \| Doesn't matter \| /etc/audit/audit.rules \| # ----------------------------------------------------------------------------------------- # augenrules \| Yes \| /etc/audit/rules.d/.rules \| # augenrules \| No \| /etc/audit/rules.d/$key.rules \| # ----------------------------------------------------------------------------------------- declare -a files_to_inspect # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. elif [ "$tool" == 'augenrules' ] then # Case when particular audit rule is already defined in some of /etc/audit/rules.d/.rules file # Get pair -- filepath : matching_row into @matches array IFS=$'\n' matches=($(grep -P "[\s]-w[\s]+$path" /etc/audit/rules.d/.rules)) # Reset IFS back to default unset IFS # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match \| cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ ${#files_to_inspect[@]} -eq "0" ] then # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection files_to_inspect="/etc/audit/rules.d/$key.rules" # If the $key.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "[\s]-w[\s]+$path" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Escape slashes in path for use in sed pattern below local esc_path=${path//$'/'/$'\/'} # Define BRE whitespace class shortcut local sp="[[:space:]]" # Extract current permission access types (e.g. -p [r\|w\|x\|a] values) from audit rule current_access_bits=$(sed -ne "s/$sp-w$sp\+$esc_path$sp\+-p$sp\+$[rxwa]\{1,4\}$./\1/p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "$required_access_bits" \| grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s/$$sp-w$sp\+$esc_path$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.$/\1$current_access_bits\3/" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" fi done } fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" # Function to fix audit file system object watch rule for given path: # if rule exists, also verifies the -w bits match the requirements # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules' # * path value of -w audit rule's argument # * required access bits value of -p audit rule's argument # * key value of -k audit rule's argument # # Example call: # # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" # function fix_audit_watch_rule { # Load function arguments into local variables local tool="$1" local path="$2" local required_access_bits="$3" local key="$4" # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" echo "Aborting." exit 1 fi # Create a list of audit .rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules \| Rule already defined \| Audit rules file to inspect \| # ----------------------------------------------------------------------------------------- # auditctl \| Doesn't matter \| /etc/audit/audit.rules \| # ----------------------------------------------------------------------------------------- # augenrules \| Yes \| /etc/audit/rules.d/.rules \| # augenrules \| No \| /etc/audit/rules.d/$key.rules \| # ----------------------------------------------------------------------------------------- declare -a files_to_inspect # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. elif [ "$tool" == 'augenrules' ] then # Case when particular audit rule is already defined in some of /etc/audit/rules.d/.rules file # Get pair -- filepath : matching_row into @matches array IFS=$'\n' matches=($(grep -P "[\s]-w[\s]+$path" /etc/audit/rules.d/.rules)) # Reset IFS back to default unset IFS # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match \| cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ ${#files_to_inspect[@]} -eq "0" ] then # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection files_to_inspect="/etc/audit/rules.d/$key.rules" # If the $key.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "[\s]-w[\s]+$path" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Escape slashes in path for use in sed pattern below local esc_path=${path//$'/'/$'\/'} # Define BRE whitespace class shortcut local sp="[[:space:]]" # Extract current permission access types (e.g. -p [r\|w\|x\|a] values) from audit rule current_access_bits=$(sed -ne "s/$sp-w$sp\+$esc_path$sp\+-p$sp\+$[rxwa]\{1,4\}$./\1/p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "$required_access_bits" \| grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s/$$sp-w$sp\+$esc_path$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$/\1$current_access_bits\3/" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" fi done } fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"

Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
Result	pass
Time	2018-04-30T11:12:31
Severity	medium
Identifiers and References	Identifiers: CCE-27347-4 References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, Req-10.2.4, Req-10.2.1, 5.2.10, 5.4.1.1, 3.1.7
Description	At a minimum the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
Rationale	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Ensure auditd Collects Information on the Use of Privileged Commands

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands

Result

pass

Time 2018-04-30T11:12:45

Severity medium

Identifiers and References

Identifiers: CCE-27437-3

References: RHEL-07-030360, SV-86719r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, CCI-002234, SRG-OS-000327-GPOS-00127, Req-10.2.2, 5.2.10, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:

$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:

-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:

-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules suid sgid passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit augenrules binaries count matches rules count passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1	26

audit auditctl suid sgid passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit auditctl binaries count matches rules count passed because of these items:

Var ref	Value
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1	26

Ensure auditd Collects File Deletion Events by User

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
Result	pass
Time	2018-04-30T11:12:45
Severity	medium
Identifiers and References	Identifiers: CCE-27206-2 References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, 5.2.14, CCI-000366, CCI-000172, CCI-002884, 5.4.1.1, 3.1.7
Description	At a minimum the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
Rationale	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Ensure auditd Collects Information on Kernel Module Loading and Unloading

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Result	pass
Time	2018-04-30T11:12:45
Severity	medium
Identifiers and References	Identifiers: CCE-27129-6 References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, 5.2.17, CCI-000172, 5.4.1.1, 3.1.7
Description	To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules Place to add the lines depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the lines to file `/etc/audit/audit.rules`.
Rationale	The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Record Events that Modify User/Group Information

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27192-4

References: RHEL-07-030710, SV-86789r3_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000241-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules /etc/group passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/group -p wa -k audit_rules_usergroup_modification

audit augenrules /etc/passwd passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit augenrules /etc/gshadow passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit augenrules /etc/shadow passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit augenrules /etc/security/opasswd passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit /etc/group passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/group -p wa -k audit_rules_usergroup_modification

audit /etc/passwd passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit /etc/gshadow passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit /etc/shadow passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit /etc/security/opasswd passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Record Events that Modify the System's Network Environment

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27076-9

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.4.1.1, 5.2.6, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

Rationale

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

OVAL details

audit /etc/issue augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules	-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules	-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules	-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules	-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit /etc/issue auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27205-4

References: AC-6, AU-1(b), AU-9, IR-5, Req-10.5, 5.4.1.1, 3.3.1

Description

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:

$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command:

$ sudo chmod 0600 audit_file

Rationale

If users can write to audit logs, audit trails can be modified or destroyed.

OVAL details

/var/log/audit files mode 0600 passed because these items were not found:

Object oval:ssg-object_var_log_audit_files:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/var/log/audit	^.*$	oval:ssg-state_not_mode_0600:ste:1

State oval:ssg-state_not_mode_0600:ste:1 of type file_state

Suid	Sgid	Sticky	Uexec	Gread	Gwrite	Gexec	Oread	Owrite	Oexec
true	true	true	true	true	true	true	true	true	true

/var/log/audit files mode 0640 passed because these items were not found:

Object oval:ssg-object_var_log_audit_files-non_root:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/var/log/audit	^.*$	oval:ssg-state_not_mode_0640:ste:1

State oval:ssg-state_not_mode_0640:ste:1 of type file_state

Suid	Sgid	Sticky	Uexec	Gwrite	Gexec	Oread	Owrite	Oexec
true	true	true	true	true	true	true	true	true

System Audit Logs Must Be Owned By Root

Rule ID xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-80125-8

References: AC-6, AU-1(b), AU-9, IR-5, CCI-000163, SRG-OS-000058-GPOS-00028, Req-10.5.1, 5.4.1.1, 3.3.1

Description

All audit logs must be owned by root user and group. By default, the path for audit log is

/var/log/audit/

. To properly set the owner of /var/log/audit, run the command:

$ sudo chown root /var/log/audit

To properly set the owner of /var/log/audit/*, run the command:

$ sudo chown root /var/log/audit/*

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

OVAL details

/var/log/audit files uid root gid root passed because these items were not found:

Object oval:ssg-object_ownership_var_log_audit_files:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/var/log/audit	^.*$	oval:ssg-state_owner_not_root_root_var_log_audit:ste:1

/var/log/audit directories uid root gid root passed because these items were not found:

Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/var/log/audit	no value	oval:ssg-state_owner_not_root_root_var_log_audit:ste:1

/var/log/audit files uid root gid root passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/var/log/audit/audit.log	regular	0	0	926696	`rw-------`

/var/log/audit directories uid root gid root passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/var/log/audit/	directory	0	0	23	`rwx------`

Record Events that Modify the System's Mandatory Access Controls

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_mac_modification

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27168-4

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.2.7, 5.4.1.1, 3.1.8

Description

-w /etc/selinux/ -p wa -k MAC-policy

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/selinux/ -p wa -k MAC-policy

Rationale

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

OVAL details

audit selinux changes augenrules passed because of these items:

Path	Content
/etc/audit/rules.d/MAC-policy.rules	-w /etc/selinux/ -p wa -k MAC-policy

audit selinux changes auditctl passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/selinux/ -p wa -k MAC-policy

Record Attempts to Alter Process and Session Initiation Information

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_session_events

Result

pass

Time 2018-04-30T11:12:31

Severity low

Identifiers and References

Identifiers: CCE-27301-1

References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.3, 5.2.9, 5.4.1.1, 3.1.7

Description

The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

OVAL details

audit augenrules utmp passed because of these items:

Path	Content
/etc/audit/rules.d/session.rules	-w /var/run/utmp -p wa -k session

audit augenrules btmp passed because of these items:

Path	Content
/etc/audit/rules.d/session.rules	-w /var/log/btmp -p wa -k session

audit augenrules wtmp passed because of these items:

Path	Content
/etc/audit/rules.d/session.rules	-w /var/log/wtmp -p wa -k session

audit auditctl utmp passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/run/utmp -p wa -k session

audit auditctl btmp passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/log/btmp -p wa -k session

audit auditctl wtmp passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/log/wtmp -p wa -k session

Ensure auditd Collects Information on Exporting to Media (successful)

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_media_export

Result

pass

Time 2018-04-30T11:12:45

Severity medium

Identifiers and References

Identifiers: CCE-27447-2

References: RHEL-07-030740, SV-86795r3_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000135, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.13, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

Rationale

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

OVAL details

audit augenrules mount 32-bit passed because of these items:

Path	Content
/etc/audit/rules.d/export.rules	-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit augenrules mount 64-bit passed because of these items:

Path	Content
/etc/audit/rules.d/export.rules	-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 32-bit passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 64-bit passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export

Ensure auditd Collects System Administrator Actions

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions

Result

pass

Time 2018-04-30T11:12:45

Severity low

Identifiers and References

Identifiers: CCE-27461-3

References: RHEL-07-030700, SV-86787r3_rule, AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

Rationale

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

OVAL details

audit augenrules sudoers passed because of these items:

Path	Content
/etc/audit/rules.d/actions.rules	-w /etc/sudoers -p wa -k actions

audit auditctl sudoers passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/sudoers -p wa -k actions

Make the auditd Configuration Immutable

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_immutable

Result

pass

Time 2018-04-30T11:12:45

Severity medium

Identifiers and References

Identifiers: CCE-27097-5

References: AC-6, AU-1(b), AU-2(a), AU-2(c), AU-2(d), IR-5, Req-10.5.2, 4.1.18, 5.4.1.1, 3.3.1, 3.4.3

Description

-e 2

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:

-e 2

With this setting, a reboot will be required to change any audit rules.

Rationale

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation

OVAL details

audit augenrules configuration locked passed because of these items:

Path	Content
/etc/audit/rules.d/immutable.rules	-e 2

audit auditctl configuration locked passed because of these items:

Path	Content
/etc/audit/audit.rules	-e 2

Enable auditd Service

Rule ID xccdf_org.ssgproject.content_rule_service_auditd_enabled

Result

pass

Time 2018-04-30T11:12:31

Severity high

Identifiers and References

Identifiers: CCE-27407-6

References: RHEL-07-030000, SV-86703r1_rule, AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, CCI-000126, CCI-000131, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, Req-10, 4.1.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6

Description

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:

$ sudo systemctl enable auditd.service

Rationale

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

OVAL details

Test that the auditd service is running passed because of these items:

Unit	Property	Value
auditd.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-journal-catalog-update.service	sys-kernel-config.mount	systemd-update-utmp.service	systemd-modules-load.service	systemd-udevd.service	rhel-autorelabel.service	kmod-static-nodes.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	proc-sys-fs-binfmt_misc.automount	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-journald.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	rhel-loadmodules.service	lvm2-lvmpolld.socket	systemd-firstboot.service	systemd-random-seed.service	systemd-update-done.service	lvm2-lvmetad.socket	systemd-udev-trigger.service	sys-kernel-debug.mount	cryptsetup.target	lvm2-monitor.service	dev-mqueue.mount	systemd-journal-flush.service	rhel-domainname.service	dev-hugepages.mount	systemd-sysctl.service	plymouth-start.service	systemd-hwdb-update.service	plymouth-read-write.service	systemd-vconsole-setup.service	systemd-binfmt.service	rhel-import-state.service	systemd-ask-password-console.path	local-fs.target	var-log.mount	tmp.mount	-.mount	home.mount	var.mount	var-log-audit.mount	boot.mount	var-tmp.mount	rhel-readonly.service	systemd-remount-fs.service	selinux-policy-migrate-local-changes@targeted.service	microcode.service	slices.target	system.slice	-.slice	paths.target	rhel-dmesg.service	sockets.target	systemd-shutdownd.socket	systemd-udevd-kernel.socket	systemd-udevd-control.socket	dm-event.socket	systemd-initctl.socket	systemd-journald.socket	pcscd.socket	dbus.socket	timers.target	unbound-anchor.timer	systemd-tmpfiles-clean.timer	NetworkManager.service	firewalld.service	plymouth-quit-wait.service	dbus.service	kdump.service	systemd-readahead-replay.service	postfix.service	getty.target	getty@tty1.service	auditd.service	rhnsd.service	systemd-readahead-collect.service	tuned.service	network.service	brandbot.path	sshd.service	chronyd.service	systemd-logind.service	systemd-ask-password-wall.path	remote-fs.target	systemd-user-sessions.service	irqbalance.service	rhel-configure.service	rsyslog.service	crond.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	rhsmcertd.service

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-journal-catalog-update.service	sys-kernel-config.mount	systemd-update-utmp.service	systemd-modules-load.service	systemd-udevd.service	rhel-autorelabel.service	kmod-static-nodes.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	proc-sys-fs-binfmt_misc.automount	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-journald.service	sys-fs-fuse-connections.mount	systemd-tmpfiles-setup-dev.service	rhel-loadmodules.service	lvm2-lvmpolld.socket	systemd-firstboot.service	systemd-random-seed.service	systemd-update-done.service	lvm2-lvmetad.socket	systemd-udev-trigger.service	sys-kernel-debug.mount	cryptsetup.target	lvm2-monitor.service	dev-mqueue.mount	systemd-journal-flush.service	rhel-domainname.service	dev-hugepages.mount	systemd-sysctl.service	plymouth-start.service	systemd-hwdb-update.service	plymouth-read-write.service	systemd-vconsole-setup.service	systemd-binfmt.service	rhel-import-state.service	systemd-ask-password-console.path	local-fs.target	var-log.mount	tmp.mount	-.mount	home.mount	var.mount	var-log-audit.mount	boot.mount	var-tmp.mount	rhel-readonly.service	systemd-remount-fs.service	selinux-policy-migrate-local-changes@targeted.service	microcode.service	slices.target	system.slice	-.slice	paths.target	rhel-dmesg.service	sockets.target	systemd-shutdownd.socket	systemd-udevd-kernel.socket	systemd-udevd-control.socket	dm-event.socket	systemd-initctl.socket	systemd-journald.socket	pcscd.socket	dbus.socket	timers.target	unbound-anchor.timer	systemd-tmpfiles-clean.timer	NetworkManager.service	firewalld.service	plymouth-quit-wait.service	dbus.service	kdump.service	systemd-readahead-replay.service	postfix.service	getty.target	getty@tty1.service	auditd.service	rhnsd.service	systemd-readahead-collect.service	tuned.service	network.service	brandbot.path	sshd.service	chronyd.service	systemd-logind.service	systemd-ask-password-wall.path	remote-fs.target	systemd-user-sessions.service	irqbalance.service	rhel-configure.service	rsyslog.service	crond.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	rhsmcertd.service

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule ID xccdf_org.ssgproject.content_rule_bootloader_audit_argument

Result

pass

Time 2018-04-30T11:12:31

Severity medium

Identifiers and References

Identifiers: CCE-27212-0

References: AC-17(1), AU-14(1), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-10, IR-5, CCI-001464, CCI-000130, Req-10.3, 4.1.3, 5.4.1.1, 3.3.1

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Warnings

warning The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

OVAL details

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX passed because of these items:

Path	Content
/etc/default/grub	GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet audit=1"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT passed because these items were not found:

Object oval:ssg-object_bootloader_audit_argument_default:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT="(.)"$	1

State oval:ssg-state_bootloader_audit_argument:ste:1 of type textfilecontent54_state

Subexpression
^.audit=1.$

Set SSH Idle Timeout Interval

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Result

pass

Time 2018-04-30T11:12:45

Severity low

Identifiers and References

Identifiers: CCE-27433-2

References: RHEL-07-040320, SV-86861r2_rule, AC-2(5), SA-8(i), AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, Req-8.1.8, 5.2.12, 5.5.6, 3.1.11

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval interval

The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

OVAL details

timeout is configured passed because of these items:

Path	Content
/etc/ssh/sshd_config	ClientAliveInterval 900

Enable the NTP Daemon

Rule ID	xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
Result	pass
Time	2018-04-30T11:12:45
Severity	medium
Identifiers and References	Identifiers: CCE-27444-9 References: AU-8(1), CCI-000160, Req-10.4, 2.2.1.1, 3.3.7
Description	The `chronyd` service can be enabled with the following command: $ sudo systemctl enable chronyd.service Note: The `chronyd` daemon is enabled by default. The `ntpd` service can be enabled with the following command: $ sudo systemctl enable ntpd.service Note: The `ntpd` daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the `ntpd` daemon might be preferred to be used rather than the `chronyd` one. Refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for guidance which NTP daemon to choose depending on the environment used.
Rationale	Enabling some of `chronyd` or `ntpd` services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The `chronyd` and `ntpd` NTP daemons offer all of the functionality of `ntpdate`, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate

Specify a Remote NTP Server

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server
Result	pass
Time	2018-04-30T11:12:45
Severity	medium
Identifiers and References	Identifiers: CCE-27278-1 References: AU-8(1), CCI-000160, Req-10.4.1, Req-10.4.3, 3.6, 3.3.7
Description	Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the `chronyd` NTP daemon (the default), or services of the `ntpd` NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. To specify a remote NTP server for time synchronization, perform the following: if the system is configured to use the `chronyd` as the NTP daemon (the default), edit the file `/etc/chrony.conf` as follows, if the system is configured to use the `ntpd` as the NTP daemon, edit the file `/etc/ntp.conf` as documented below. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data.
Rationale	Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Specify Additional Remote NTP Servers

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers
Result	pass
Time	2018-04-30T11:12:45
Severity	low
Identifiers and References	Identifiers: CCE-27012-4 References: AU-8(1), Req-10.4.3
Description	Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the `chronyd` NTP daemon (the default), or services of the `ntpd` NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. Additional NTP servers can be specified for time synchronization. To do so, perform the following: if the system is configured to use the `chronyd` as the NTP daemon (the default), edit the file `/etc/chrony.conf` as follows, if the system is configured to use the `ntpd` as the NTP daemon, edit the file `/etc/ntp.conf` as documented below. Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver
Rationale	Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.