STIG for Red Hat Enterprise Linux 7 Server
This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. Where is the RHEL7 STIG?Question: May I deploy a product if no STIG exists? Answer: Yes, based on mission need and with DAA approval. Question: What do I use if there is no STIG? Answer: DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation. Source: http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
installed_OS_is_certified high The Installed Operating System Is Vendor Supported and Certified An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
accounts_password_pam_minlen medium Set Password Minimum Length The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. SRG-OS-000078-GPOS-00046
CCI-000205
IA-5 (1) (a)
accounts_password_pam_ocredit medium Set Password Strength Minimum Special Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. SRG-OS-000266-GPOS-00101
CCI-001619
IA-5 (1) (a)
accounts_password_pam_dcredit medium Set Password Strength Minimum Digit Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. SRG-OS-000071-GPOS-00039
CCI-000194
IA-5 (1) (a)
accounts_password_pam_ucredit medium Set Password Strength Minimum Uppercase Characters Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. SRG-OS-000069-GPOS-00037
CCI-000192
IA-5 (1) (a)
accounts_password_pam_lcredit medium Set Password Strength Minimum Lowercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. SRG-OS-000070-GPOS-00038
CCI-000193
IA-5 (1) (a)
package_screen_installed medium Install the screen Package A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but des not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured.
To enable console screen locking, install the screen package:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
SRG-OS-000029-GPOS-00010
CCI-000057
AC-11 a
sshd_set_idle_timeout low Set SSH Idle Timeout Interval Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-001133
CCI-002361
SC-10
accounts_password_all_shadowed medium Verify All Account Password Hashes are Shadowed The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. CCI-NaN
no_empty_passwords high Prevent Log In to Accounts With Empty Password If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
bootloader_password high Set Boot Loader Password Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):
password_pbkdf2 superusers-account password-hash
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
SRG-OS-000080-GPOS-00048
CCI-000213
AC-3
bootloader_uefi_password medium Set the UEFI Boot Loader Password Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to The UEFI grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):
password_pbkdf2 superusers-account password-hash
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
SRG-OS-000080-GPOS-00048
CCI-000213
AC-3
require_singleuser_auth medium Require Authentication for Single User Mode This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
SRG-OS-000080-GPOS-00048
CCI-000213
AC-3
disable_interactive_boot medium Verify that Interactive Boot is Disabled Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. Red Hat Enterprise Linux systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 7 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of
systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot.
SRG-OS-000080-GPOS-00048
CCI-000213
AC-3
service_debug-shell_disabled medium Disable debug-shell SystemD Service This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is disabled. The debug-shell service can be disabled with the following command:
$ sudo systemctl disable debug-shell.service
no_direct_root_logins medium Direct root Logins Not Allowed Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enteprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command:
$ sudo echo > /etc/securetty
securetty_root_login_console_only medium Restrict Virtual Console Root Logins Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4
SRG-OS-000109-GPOS-00056
CCI-000770
IA-2 (5) (b)
restrict_serial_port_logins low Restrict Serial Port Root Logins Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS1
SRG-OS-000109-GPOS-00056
CCI-000770
IA-2 (5) (b)
sshd_disable_root_login medium Disable SSH Root Login Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_disable_empty_passwords high Disable SSH Access via Empty Passwords Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
bios_assign_password low Assign Password to Prevent Changes to Boot Firmware Configuration Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes.
accounts_passwords_pam_faillock_deny_root medium Configure the root Account for Failed Password Attempts By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Modify the following line in the AUTH section to add even_deny_root:
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
  • Modify the following line in the AUTH section to add even_deny_root:
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
SRG-OS-000329-GPOS-00128
CCI-002238
accounts_password_pam_retry low Set Password Retry Prompts Permitted Per-Session Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. To configure the number of retry prompts that are permitted per-session:

Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
accounts_passwords_pam_faillock_deny medium Set Deny For Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
SRG-OS-000329-GPOS-00128
CCI-002238
accounts_passwords_pam_faillock_unlock_time medium Set Lockout Time For Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
SRG-OS-000329-GPOS-00128
CCI-002238
accounts_passwords_pam_faillock_interval medium Set Interval For Counting Failed Password Attempts By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an accounts after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
SRG-OS-000329-GPOS-00128
CCI-002238
service_firewalld_enabled medium Verify firewalld Enabled Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
set_firewalld_default_zone medium Set Default firewalld Zone for Incoming Packets In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:
DefaultZone=drop
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_conf_default_accept_source_route medium Configure Kernel Parameter for Accepting Source-Routed Packets By Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
CM-6 b
AC-4
sysctl_net_ipv4_conf_all_accept_source_route medium Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_tcp_syncookies medium Configure Kernel Parameter to Use TCP Syncookies A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_conf_all_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_conf_default_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects by Default ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_conf_all_accept_redirects medium Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001503
CCI-001551
CM-6 b
CM-6 d
AC-4
sysctl_net_ipv4_conf_default_accept_redirects medium Configure Kernel Parameter for Accepting ICMP Redirects By Default ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_redirects = 0
CCI-001551
AC-4
sysctl_net_ipv4_icmp_echo_ignore_broadcasts medium Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_broadcasts = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv4_ip_forward medium Disable Kernel Parameter for IP Forwarding Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sysctl_net_ipv6_conf_all_accept_source_route medium Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
auditd_audispd_syslog_plugin_activated medium Configure auditd to use audispd's syslog plugin The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service:
$ sudo service auditd restart
CCI-000136
AU-3 (2)
auditd_data_retention_num_logs medium Configure auditd Number of Logs Retained The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of :
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
auditd_data_retention_max_log_file medium Configure auditd Max Log File Size The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
auditd_data_retention_max_log_file_action medium Configure auditd max_log_file_action Upon Reaching Maximum Log Size Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
auditd_data_retention_space_left_action medium Configure auditd space_left Action on Low Disk Space Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
SRG-OS-000343-GPOS-00134
CCI-001855
auditd_data_retention_admin_space_left_action medium Configure auditd admin_space_left Action on Low Disk Space Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
SRG-OS-000047-GPOS-00023
CCI-000140
CCI-001343
AU-5 b
AU-5 (4)
auditd_data_retention_action_mail_acct medium Configure auditd mail_acct Action on Low Disk Space Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
SRG-OS-000343-GPOS-00134
CCI-001855
file_permissions_var_log_audit medium System Audit Logs Must Have Mode 0640 or Less Permissive If users can write to audit logs, audit trails can be modified or destroyed. If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file
CCI-NaN
service_auditd_enabled high Enable auditd Service Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
SRG-OS-000038-GPOS-00016
CCI-000126
CCI-000131
AU-2 d
AU-3
bootloader_audit_argument medium Enable Auditing for Processes Which Start Prior to the Audit Daemon Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1"
SRG-OS-000254-GPOS-00095
SRG-OS-000037-GPOS-00015
CCI-001464
CCI-000130
AU-14 (1)
AU-3
auditd_data_retention_flush low Configure auditd flush priority Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk:
flush = 
CCI-001576
AU-12 (1)
audit_rules_time_adjtimex low Record attempts to alter time through adjtimex Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
SRG-OS-000255-GPOS-00096
SRG-OS-000062-GPOS-00031
CCI-001487
CCI-000169
AU-3
AU-12 a
audit_rules_time_settimeofday low Record attempts to alter time through settimeofday Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
SRG-OS-000255-GPOS-00096
SRG-OS-000062-GPOS-00031
CCI-001487
CCI-000169
AU-3
AU-12 a
audit_rules_time_stime low Record Attempts to Alter Time Through stime Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
SRG-OS-000255-GPOS-00096
SRG-OS-000062-GPOS-00031
CCI-001487
CCI-000169
AU-3
AU-12 a
audit_rules_time_clock_settime low Record Attempts to Alter Time Through clock_settime Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
SRG-OS-000255-GPOS-00096
SRG-OS-000062-GPOS-00031
CCI-001487
CCI-000169
AU-3
AU-12 a
audit_rules_time_watch_localtime low Record Attempts to Alter the localtime File Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
SRG-OS-000255-GPOS-00096
SRG-OS-000062-GPOS-00031
CCI-001487
CCI-000169
AU-3
AU-12 a
audit_rules_usergroup_modification low Record Events that Modify User/Group Information In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000303-GPOS-00120
CCI-000018
CCI-000172
CCI-001403
CCI-002130
AC-2 (4)
AU-12 c
AC-2 (4)
audit_rules_networkconfig_modification low Record Events that Modify the System's Network Environment The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
audit_rules_mac_modification low Record Events that Modify the System's Mandatory Access Controls The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
audit_rules_dac_modification_chmod low Record Events that Modify the System's Discretionary Access Controls - chmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_chown low Record Events that Modify the System's Discretionary Access Controls - chown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_fchmod low Record Events that Modify the System's Discretionary Access Controls - fchmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_fchmodat low Record Events that Modify the System's Discretionary Access Controls - fchmodat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_fchown low Record Events that Modify the System's Discretionary Access Controls - fchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_fchownat low Record Events that Modify the System's Discretionary Access Controls - fchownat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_fremovexattr medium Record Events that Modify the System's Discretionary Access Controls - fremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_dac_modification_fsetxattr low Record Events that Modify the System's Discretionary Access Controls - fsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_lchown low Record Events that Modify the System's Discretionary Access Controls - lchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_lremovexattr medium Record Events that Modify the System's Discretionary Access Controls - lremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_dac_modification_lsetxattr low Record Events that Modify the System's Discretionary Access Controls - lsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_dac_modification_removexattr medium Record Events that Modify the System's Discretionary Access Controls - removexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_dac_modification_setxattr low Record Events that Modify the System's Discretionary Access Controls - setxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000126
CCI-000172
AU-2 d
AU-12 c
audit_rules_login_events medium Record Attempts to Alter Logon and Logout Events Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_session_events low Record Attempts to Alter Process and Session Initiation Information Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
audit_rules_privileged_commands medium Ensure auditd Collects Information on the Use of Privileged Commands Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000327-GPOS-00127
CCI-002234
audit_rules_media_export medium Ensure auditd Collects Information on Exporting to Media (successful) The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-002884
AU-3 (1)
audit_rules_file_deletion_events medium Ensure auditd Collects File Deletion Events by User Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_sysadmin_actions low Ensure auditd Collects System Administrator Actions The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000172
CCI-002884
AU-2 d
AU-3
AU-3 (1)
AU-12 c
audit_rules_immutable medium Make the auditd Configuration Immutable Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
service_chronyd_or_ntpd_enabled medium Enable the NTP Daemon Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
The chronyd service can be enabled with the following command:
$ sudo systemctl enable chronyd.service
Note: The chronyd daemon is enabled by default.

The ntpd service can be enabled with the following command:
$ sudo systemctl enable ntpd.service
Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for guidance which NTP daemon to choose depending on the environment used.
CCI-000160
AU-8 (1)
chronyd_or_ntpd_specify_remote_server medium Specify a Remote NTP Server Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.
CCI-000160
AU-8 (1)
chronyd_or_ntpd_specify_multiple_servers low Specify Additional Remote NTP Servers Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:
  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:
server ntpserver
wireless_disable_in_bios low Disable WiFi or Bluetooth in BIOS Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot. CCI-000085
AC-19 c
wireless_disable_interfaces low Deactivate Wireless Network Interfaces Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

First, identify the interfaces available with the command:
$ ifconfig -a
Additionally, the following command may be used to determine whether wireless support is included for a particular interface, though this may not always be a clear indicator:
$ iwconfig
After identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, em1 or eth0), deactivate the interface with the command:
$ sudo ifdown interface
These changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts:
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
CCI-000085
AC-19 c
kernel_module_bluetooth_disabled medium Disable Bluetooth Kernel Modules If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
CCI-000085
CCI-001551
AC-19 c
AC-4
service_bluetooth_disabled medium Disable Bluetooth Service Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. The bluetooth service can be disabled with the following command:
$ sudo systemctl disable bluetooth.service
$ sudo service bluetooth stop
CCI-000085
CCI-001551
AC-19 c
AC-4
kernel_module_usb-storage_disabled medium Disable Modprobe Loading of USB Storage Driver USB storage devices such as thumb drives can be used to introduce malicious software. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
CM-6 b
IA-3
bootloader_nousb_argument low Disable Kernel Support for USB via Bootloader Configuration Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
WARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.
CCI-001250
SI-3 (5)
bios_disable_usb_boot low Disable Booting from USB Devices in Boot Firmware Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. CCI-001250
SI-3 (5)
service_autofs_disabled medium Disable the Automounter Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl disable autofs.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
CM-6 b
IA-3
service_xinetd_disabled medium Disable xinetd Service The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. The xinetd service can be disabled with the following command:
$ sudo systemctl disable xinetd.service
CCI-000305
CM-2 (4) (a)
package_xinetd_removed low Uninstall xinetd Package Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. The xinetd package can be uninstalled with the following command:
$ sudo yum erase xinetd
CCI-000305
CM-2 (4) (a)
service_telnet_disabled high Disable telnet Service The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. The telnet service configuration file /etc/xinetd.d/telnet is not created automatically. If it was created manually, check the /etc/xinetd.d/telnet file and ensure that disable = no is changed to read disable = yes as follows below:
# description: The telnet server serves telnet sessions; it uses \\
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream

        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = yes
}
If the /etc/xinetd.d/telnet file does not exist, make sure that the activation of the telnet service on system boot is disabled via the following command: The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket
CCI-NaN
package_telnet-server_removed high Uninstall telnet-server Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
The telnet-server package can be uninstalled with the following command:
$ sudo yum erase telnet-server
SRG-OS-000095-GPOS-00049
CCI-000381
CM-7
package_telnet_removed low Remove telnet Clients The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux. The telnet client allows users to start connections to other systems via the telnet protocol.
package_rsh-server_removed high Uninstall rsh-server Package The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. The rsh-server package can be uninstalled with the following command:
$ sudo yum erase rsh-server
SRG-OS-000095-GPOS-00049
CCI-000381
CM-7
service_rexec_disabled high Disable rexec Service The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. If using systemd, The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket
SRG-OS-000033-GPOS-00014
CCI-000068
CCI-001436
AC-17 (2)
AC-17 (8)
service_rsh_disabled high Disable rsh Service The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. If using systemd, The rsh socket can be disabled with the following command:
$ sudo systemctl disable rsh.socket
SRG-OS-000033-GPOS-00014
CCI-000068
CCI-001436
AC-17 (2)
AC-17 (8)
package_rsh_removed low Uninstall rsh Package These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. The rsh package contains the client commands for the rsh services
service_rlogin_disabled high Disable rlogin Service The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. If using systemd, The rlogin socket can be disabled with the following command:
$ sudo systemctl disable rlogin.socket
CCI-001436
AC-17 (8)
no_rsh_trust_files high Remove Rsh Trust Files Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
CCI-001436
AC-17 (8)
package_ypserv_removed high Uninstall ypserv Package The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. The ypserv package can be uninstalled with the following command:
$ sudo yum erase ypserv
SRG-OS-000095-GPOS-00049
CCI-000381
CM-7
service_ypbind_disabled medium Disable ypbind Service Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use. The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command:
$ sudo systemctl disable ypbind.service
CCI-000305
CM-2 (4) (a)
package_ypbind_removed low Remove NIS Client The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files.
package_talk-server_removed medium Uninstall talk-server Package The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. The talk-server package can be removed with the following command:
$ sudo yum erase talk-server
package_talk_removed low Uninstall talk Package The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command:
$ sudo yum erase talk
service_crond_enabled medium Enable cron Service Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service
sshd_allow_only_protocol2 high Allow Only SSH Protocol 2 SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:
Protocol 2
SRG-OS-000074-GPOS-00042
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000197
CCI-000366
IA-5 (1) (c)
CM-6 b
sshd_set_keepalive medium Set SSH Client Alive Count This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached. To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-001133
CCI-002361
SC-10
sshd_disable_rhosts medium Disable SSH Support for .rhosts Files SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
disable_host_auth medium Disable Host-Based Authentication SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_do_not_permit_user_env medium Do Not Allow SSH Environment Options SSH environment options potentially allow users to bypass access restriction in some configurations. To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_use_approved_ciphers medium Use Only Approved Ciphers Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
The man page sshd_config(5) contains a list of supported ciphers.
SRG-OS-000033-GPOS-00014
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000120-GPOS-00061
CCI-000068
CCI-000366
CCI-000803
AC-17 (2)
CM-6 b
IA-7
sshd_use_approved_macs medium Use Only FIPS Approved MACs DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
SRG-OS-000250-GPOS-00093
CCI-001453
AC-17 (2)
enable_selinux_bootloader medium Ensure SELinux Not Disabled in /etc/default/grub Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. CCI-000022
CCI-000032
AC-3 (3) (a)
AC-4 (8)
selinux_state high Ensure SELinux State is Enforcing Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-002165
CCI-002696
selinux_policytype high Configure SELinux Policy Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
SRG-OS-000445-GPOS-00199
CCI-002696
selinux_confinement_of_daemons medium Ensure No Daemons are Unconfined by SELinux Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require. Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command:
$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.
selinux_all_devicefiles_labeled medium Ensure No Device Files are Unlabeled by SELinux If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file. Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for unlabeled device files, run the following command:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000022
CCI-000032
CCI-000368
CCI-000318
CCI-001812
CCI-001813
CCI-001814
AC-3 (3) (a)
AC-4 (8)
CM-6 c
CM-3 e
accounts_no_uid_except_zero high Verify Only Root Has UID 0 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
gid_passwd_group_same low All GIDs referenced in /etc/passwd must be defined in /etc/group If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. Add a group to the system for each GID referenced without a corresponding group. SRG-OS-000104-GPOS-00051
CCI-000764
IA-2
rpm_verify_permissions high Verify and Correct File Permissions with RPM Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command:
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME

SRG-OS-000257-GPOS-00098
SRG-OS-000278-GPOS-00108
CCI-001494
CCI-001496
AU-9
AU-9 (3)
file_permissions_sshd_pub_key medium Verify Permissions on SSH Server Public *.pub Key Files If a public host key file is modified by an unauthorized user, the SSH service may be compromised. To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
file_permissions_sshd_private_key medium Verify Permissions on SSH Server Private *_key Key Files If an unauthorized user obtains the private SSH host key file, the host could be impersonated. To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
file_permissions_ungroupowned medium Ensure All Files Are Owned by a Group Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-002165
no_files_unowned_by_user medium Ensure All Files Are Owned by a User Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-002165
package_aide_installed medium Install AIDE The AIDE package must be installed if it is to be available for integrity checking. Install the AIDE package with the command:
$ sudo yum install aide
CCI-NaN
disable_prelink low Disable Prelinking Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua
aide_build_database medium Build and Test AIDE Database For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
aide_periodic_cron_checking medium Configure Periodic Execution of AIDE By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
SRG-OS-000363-GPOS-00150
CCI-001744
rpm_verify_hashes high Verify File Hashes with RPM The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
CCI-000663
SA-7
install_hids high Install Intrusion Detection Software Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. CCI-001263
SI-4 (5)
sysctl_fs_suid_dumpable low Disable Core Dumps for SUID programs The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:
$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0
sysctl_kernel_exec_shield medium Enable ExecShield ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield. CCI-002530
sysctl_kernel_randomize_va_space medium Enable Randomized Layout of Virtual Address Space Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2
install_PAE_kernel_on_x86-32 low Install PAE Kernel on Supported 32-bit x86 Systems On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support:
$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary.
bios_enable_execution_restrictions low Enable NX or XD Support in the BIOS Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.
sysctl_kernel_dmesg_restrict low Restrict Access to Kernel Message Buffer Unprivileged access to the kernel syslog can expose sensitive kernel address information. To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.dmesg_restrict = 1
SRG-OS-000206-GPOS-00084
CCI-001314
SI-11 c
accounts_max_concurrent_login_sessions low Limit the Number of Concurrent Login Sessions Allowed Per User Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf:
* hard maxlogins 
SRG-OS-000027-GPOS-00008
CCI-000054
AC-10
accounts_maximum_age_login_defs medium Set Password Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately:
PASS_MAX_DAYS DAYS
A value of 180 days is sufficient for many environments. The DoD requirement is 60.
SRG-OS-000076-GPOS-00044
CCI-000199
IA-5 (1) (d)
accounts_minimum_age_login_defs medium Set Password Minimum Age Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately:
PASS_MIN_DAYS DAYS
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
SRG-OS-000075-GPOS-00043
CCI-000198
IA-5 (1) (d)
accounts_tmout medium Set Interactive Session Timeout Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows:
TMOUT=
SRG-OS-000163-GPOS-00072
CCI-001133
CCI-000361
SC-10
CM-5 (5) (b)
display_login_attempts low Set Last Logon/Access Notification Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
set_password_hashing_algorithm_libuserconf medium Set Password Hashing Algorithm in /etc/libuser.conf Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:
crypt_style = sha512
SRG-OS-000073-GPOS-00041
CCI-000196
IA-5 (1) (c)
set_password_hashing_algorithm_systemauth medium Set PAM's Password Hashing Algorithm Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
SRG-OS-000073-GPOS-00041
CCI-000196
IA-5 (1) (c)
set_password_hashing_algorithm_logindefs medium Set Password Hashing Algorithm in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
SRG-OS-000073-GPOS-00041
CCI-000196
IA-5 (1) (c)
encrypt_partitions high Encrypt Partitions The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html
SRG-OS-000185-GPOS-00079
SRG-OS-000405-GPOS-00184
CCI-001199
CCI-002476
SC-28
ensure_gpgcheck_globally_activated high Ensure gpgcheck Enabled In Main Yum Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_repo_metadata high Ensure gpgcheck Enabled for Repository Metadata Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again.

NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_local_packages high Ensure gpgcheck Enabled for Local Packages Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. SRG-OS-000366-GPOS-00153
CCI-001749
network_sniffer_disabled medium Ensure System is Not Acting as a Network Sniffer Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
partition_for_tmp low Ensure /tmp Located On Separate Partition The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
partition_for_var_log_audit low Ensure /var/log/audit Located On Separate Partition Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
partition_for_var low Ensure /var Located On Separate Partition Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
partition_for_home low Ensure /home Located On Separate Partition Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001208
CM-6 b
SC-32
mount_option_nosuid_remote_filesystems medium Mount Remote Filesystems with nosuid NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
mount_option_nodev_remote_filesystems medium Mount Remote Filesystems with nodev Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.
mount_option_nosuid_removable_partitions low Add nosuid Option to Removable Media Partitions The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
mount_option_nodev_removable_partitions low Add nodev Option to Removable Media Partitions The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.
mount_option_noexec_removable_partitions low Add noexec Option to Removable Media Partitions Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. CCI-000087
AC-19 e
audit_rules_system_shutdown medium Shutdown System When Auditing Failures Occur It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-f 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file:
-f 2
SRG-OS-000046-GPOS-00022
CCI-000139
AU-5 a
audit_rules_login_events_tallylog medium Record Attempts to Alter Logon and Logout Events - tallylog Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
CCI-000126
AU-12 c
AU-2 d
audit_rules_login_events_faillock medium Record Attempts to Alter Logon and Logout Events - faillock Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/run/faillock/ -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/run/faillock/ -p wa -k logins
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
CCI-000126
AU-12 c
AU-2 d
audit_rules_login_events_lastlog medium Record Attempts to Alter Logon and Logout Events - lastlog Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
CCI-000126
AU-12 c
AU-2 d
audit_rules_unsuccessful_file_modification medium Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_creat medium Record Unauthorized Access Attempts to Files (unsuccessful) - creat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_open medium Record Unauthorized Access Attempts to Files (unsuccessful) - open Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_openat medium Record Unauthorized Access Attempts to Files (unsuccessful) - openat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_open_by_handle_at medium Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_truncate medium Record Unauthorized Access Attempts to Files (unsuccessful) - truncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_unsuccessful_file_modification_ftruncate medium Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_execution_semanage medium Record Any Attempts to Run semanage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_execution_setsebool medium Record Any Attempts to Run setsebool Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_execution_chcon medium Record Any Attempts to Run chcon Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_execution_restorecon medium Record Any Attempts to Run restorecon Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
AU-12 c
audit_rules_privileged_commands_passwd medium Ensure auditd Collects Information on the Use of Privileged Commands - passwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_unix_chkpwd medium Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_gpasswd medium Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_chage medium Ensure auditd Collects Information on the Use of Privileged Commands - chage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_userhelper medium Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_su medium Ensure auditd Collects Information on the Use of Privileged Commands - su Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_sudo medium Ensure auditd Collects Information on the Use of Privileged Commands - sudo Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_sudoedit medium Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_newgrp medium Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_chsh medium Ensure auditd Collects Information on the Use of Privileged Commands - chsh Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_umount medium Ensure auditd Collects Information on the Use of Privileged Commands - umount Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_postdrop medium Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_postqueue medium Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_ssh_keysign medium Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_pt_chown medium Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_crontab medium Ensure auditd Collects Information on the Use of Privileged Commands - crontab Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_privileged_commands_pam_timestamp_check medium Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000172
CCI-002884
AU-3 (1)
AU-12 c
audit_rules_file_deletion_events_rmdir medium Ensure auditd Collects File Deletion Events by User - rmdir Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_file_deletion_events_unlink medium Ensure auditd Collects File Deletion Events by User - unlink Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_file_deletion_events_unlinkat medium Ensure auditd Collects File Deletion Events by User - unlinkat Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_file_deletion_events_rename medium Ensure auditd Collects File Deletion Events by User - rename Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_file_deletion_events_renameat medium Ensure auditd Collects File Deletion Events by User - renameat Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000366
CCI-000172
CCI-002884
CM-6 b
AU-12 c
audit_rules_kernel_module_loading medium Ensure auditd Collects Information on Kernel Module Loading and Unloading The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_kernel_module_loading_init medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - init_module The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S init_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S init_module -F key=modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_kernel_module_loading_delete medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - delete_module The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_kernel_module_loading_insmod medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - insmod The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_kernel_module_loading_rmmod medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - rmmod The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/rmmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/rmmod -p x -k modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
audit_rules_kernel_module_loading_modprobe medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/modprobe -p x -k modules
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
AU-12 c
accounts_password_pam_minclass medium Set Password Strength Minimum Different Categories Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
SRG-OS-000072-GPOS-00040
CCI-000195
IA-5 (1) (b)
accounts_password_pam_unix_remember medium Limit Password Reuse Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
SRG-OS-000077-GPOS-00045
CCI-000200
IA-5 (1) (e)
accounts_password_pam_difok medium Set Password Strength Minimum Different Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change. Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords. SRG-OS-000072-GPOS-00040
CCI-000195
IA-5 (1) (b)
accounts_password_pam_maxrepeat medium Set Password Maximum Consecutive Repeating Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
IA-5 (1) (b)
accounts_password_pam_maxclassrepeat medium Set Password to Maximum of Consecutive Repeating Characters from Same Character Class Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
IA-5 (1) (b)
account_disable_post_pw_expiration medium Set Account Expiration Following Inactivity Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:
INACTIVE=
A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
SRG-OS-000118-GPOS-00060
CCI-000795
IA-4 e
account_temp_expire_date low Assign Expiration Date to Temporary Accounts If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SRG-OS-000002-GPOS-00002
SRG-OS-000123-GPOS-00064
CCI-000016
CCI-001682
AC-2 (2)
accounts_logon_fail_delay low Ensure the Logon Failure Delay is Set Correctly in login.defs Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sudo_remove_no_authenticate medium Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
sudo_remove_nopasswd medium Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
smartcard_auth medium Enable Smart Card Login Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. To enable smart card authentication, consult the documentation at: For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: SRG-OS-000105-GPOS-00052
SRG-OS-000106-GPOS-00053
SRG-OS-000107-GPOS-00054
SRG-OS-000108-GPOS-00055
CCI-000765
CCI-000766
CCI-000767
CCI-000768
CCI-000771
CCI-000772
CCI-000884
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (4)
IA-2 (6)
IA-2 (7)
MA-4 (4)
banner_etc_issue medium Modify the System Login Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SRG-OS-000023-GPOS-00006
CCI-000048
AC-8 a
sshd_enable_warning_banner medium Enable SSH Warning Banner The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
AC-8 a
AC-8 b
AC-8 c
AC-8 c
AC-8 c
AC-8 c
AC-8 c
ftp_present_banner medium Create Warning Banners for All FTP Users This setting will cause the system greeting banner to be used for FTP connections as well. Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options:
banner_file=/etc/issue
SRG-OS-000023-GPOS-00006
CCI-000048
AC-8 a
accounts_umask_etc_login_defs low Ensure the Default Umask is Set Correctly in login.defs The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
ensure_redhat_gpgkey_installed high Ensure Red Hat GPG Key Installed Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo rhn_register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_never_disabled high Ensure gpgcheck Enabled For All Yum Package Repositories Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
SRG-OS-000366-GPOS-00153
CCI-001749
security_patches_up_to_date high Ensure Software Patches Installed Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
clean_components_post_updating low Ensure YUM Removes Previous Package Versions Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. Yum should be configured to remove previous software components after previous versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. SRG-OS-000437-GPOS-00194
CCI-002617
network_disable_ddns_interfaces medium Disable Client Dynamic DNS Updates Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. Dynamic DNS allows clients to dynamically update their own DNS records. The updates are transmitted by unencrypted means which can reveal information to a potential malicious user. If the system does not require Dynamic DNS, remove all DHCP_HOSTNAME references from the /etc/sysconfig/network-scripts/ifcfg-interface scripts. If dhclient is used, remove all send host-name hostname references from the /etc/dhclient.conf configuration file and/or any reference from the /etc/dhcp directory. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
libreswan_approved_tunnels medium Verify Any Configured IPSec Tunnel Connections IP tunneling mechanisms can be used to bypass network filtering. Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection. CCI-000336
CM-4 (2)
package_libreswan_installed medium Install libreswan Package Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:
$ sudo yum install libreswan
CCI-001130
CCI-001131
SC-9
SC-9 (1)
package_dracut-fips_installed medium Install the dracut-fips Package Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips
SRG-OS-000033-GPOS-00014
SRG-OS-000478-GPOS-00223
SRG-OS-000396-GPOS-00176
CCI-000068
CCI-002450
AC-17 (2)
grub2_enable_fips_mode medium Enable FIPS Mode in GRUB2 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To ensure FIPS mode is enabled, rebuild initramfs by running the following command:
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
SRG-OS-000033-GPOS-00014
SRG-OS-000478-GPOS-00223
SRG-OS-000396-GPOS-00176
CCI-000068
CCI-002450
AC-17 (2)
rsyslog_remote_loghost low Ensure Logs Sent To Remote Host A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @loghost.example.com

To use TCP for log message delivery:
*.* @@loghost.example.com

To use RELP for log message delivery:
*.* :omrelp:loghost.example.com
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-000366
CCI-001348
CCI-000136
CCI-001851
CM-6 b
AU-9 (2)
AU-3 (2)
rsyslog_nolisten low Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
CM-3 e
CM-6 c
rsyslog_cron_logging medium Ensure cron Is Logging To Rsyslog Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:
cron.*                                                  /var/log/cron
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
package_openssh-server_installed medium Install the OpenSSH Server Package Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-000481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
firewalld_sshd_port_enabled low Enable SSH Server firewalld Firewall exception If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. By default, inbound connections to SSH's port are allowed. If the SSH server is being used but denied by the firewall, this exception should be added to the firewall configuration.

To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh
service_sshd_enabled medium Enable the OpenSSH Service Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-000481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
sshd_disable_compression medium Disable Compression Or Set Compression to delayed If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression no
or
Compression delayed
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_disable_gssapi_auth medium Disable GSSAPI Authentication GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000368
CCI-000318
CCI-001812
CCI-001813
CCI-001814
CM-6 c
CM-3 e
sshd_disable_kerb_auth medium Disable Kerberos Authentication Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000368
CCI-000318
CCI-001812
CCI-001813
CCI-001814
CM-6 c
CM-3 e
sshd_enable_strictmodes medium Enable Use of Strict Mode Checking If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_use_priv_separation medium Enable Use of Privilege Separation SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_limit_user_access low Limit Users' SSH Access Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file:
DenyUsers USER1 USER2
Where USER1 and USER2 are valid user names.
sshd_print_last_log low Print Last Log Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_disable_user_known_hosts medium Disable SSH Support for User Known Hosts Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sshd_disable_rhosts_rsa medium Disable SSH Support for Rhosts RSA Authentication Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
RhostsRSAAuthentication no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
sssd_memcache_timeout medium Configure SSSD's Memory Cache to Expire If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD's memory cache should be configured to set to expire records after 1 day. To configure SSSD to expire memory cache, set memcache_timeout to 86400 under the [nss] section in /etc/sssd/sssd.conf. For example:
[nss]
memcache_timeout = 86400
SRG-OS-000383-GPOS-00166
CCI-002007
sssd_offline_cred_expiration medium Configure SSSD to Expire Offline Credentials If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
SRG-OS-000383-GPOS-00166
CCI-002007
sssd_ssh_known_hosts_timeout medium Configure SSSD to Expire SSH Known Hosts If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD should be configured to expire keys from known SSH hosts after 1 day. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to 86400 under the [ssh] section in /etc/sssd/sssd.conf. For example:
[ssh]
ssh_known_hosts_timeout = 86400
SRG-OS-000383-GPOS-00166
SRG-OS-000383-GPOS-00166
CCI-002007
CCI-002007
install_mcafee_hbss_accm medium Install the Asset Configuration Compliance Module (ACCM) Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. Install the Asset Configuration Compliance Module (ACCM). SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001263
CM-6 b
SI-4 (5)
install_mcafee_hbss_pa medium Install the Policy Auditor (PA) Module Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. Install the Policy Auditor (PA) Module. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001263
CM-6 b
SI-4 (5)
install_mcafee_antivirus high Install McAfee Virus Scanning Software Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001239
CCI-001668
CM-6 b
SI-3 a
SI-3 a
service_nails_enabled medium Enable nails Service Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. The nails service is used to run McAfee VirusScan Enterprise for Linux and McAfee Host-based Security System (HBSS) services. The nails service can be enabled with the following command:
$ sudo systemctl enable nails.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001239
CCI-001668
CM-6 b
SI-3 a
SI-3 a
mcafee_antivirus_definitions_updated medium Virus Scanning Software Definitions Are Updated Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Ensure virus definition files are no older than 7 days or their last release. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001239
CCI-001668
CM-6 b
SI-3 a
SI-3 a
aide_scan_notification medium Configure Notification of Post-AIDE Scan Details Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
SRG-OS-000363-GPOS-00150
CCI-001744
aide_verify_acls medium Configure AIDE to Verify Access Control Lists (ACLs) ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
aide_verify_ext_attributes medium Configure AIDE to Verify Extended Attributes Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
aide_use_fips_hashes medium Configure AIDE to Use FIPS 140-2 for Validating Hashes File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
xwindows_runlevel_setting medium Disable X Windows Startup By Setting Default Target Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.target
You should see the following output:
rm '/etc/systemd/system/default.target'
ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
package_xorg-x11-server-common_removed medium Remove the X Windows Package Group Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
enable_x11_forwarding high Enable Encrypted X11 Fordwarding Open X displays allow an attacker to capture keystrokes and to execute commands remotely. By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
mount_option_krb_sec_remote_filesystems medium Mount Remote Filesystems with Kerberos Security When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
use_kerberos_security_all_exports medium Use Kerberos Security on All Exports When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
package_tftp-server_removed high Uninstall tftp-server Package Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
CM-3 e
CM-6 c
tftpd_uses_secure_mode medium Ensure tftp Daemon Uses Secure Mode Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default):
server_args = -s /var/lib/tftpboot
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
service_zebra_disabled medium Disable Quagga Service Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network. The zebra service can be disabled with the following command:
$ sudo systemctl disable zebra.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
snmpd_not_default_password high Ensure Default SNMP Password Is Not Used Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
service_kdump_disabled medium Disable KDump Kernel Crash Analyzer (kdump) Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
package_vsftpd_removed high Uninstall vsftpd Package Removing the vsftpd package decreases the risk of its accidental activation. The vsftpd package can be removed with the following command:
$ sudo yum erase vsftpd
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
disable_ctrlaltdel_reboot high Disable Ctrl-Alt-Del Reboot Activation A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
dir_perms_world_writable_system_owned low Ensure All World-Writable Directories Are Owned by a System Account Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
file_owner_cron_allow medium Verify User Who Owns /etc/cron.allow file If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b
file_groupowner_cron_allow medium Verify Group Who Owns /etc/cron.allow file If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00231
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CM-6 b