Score

44.44%

Adjusted Score:	44.44%
Original Score:	44.44%
Compliance Status:	RED

Pass:	28	Not Applicable:	2
Fail:	35	Not Checked:	0
Error:	0	Not Selected:	0
Unknown:	0	Informational:	0
Fixed:	0	Total:	65

BLUE:	Score equals 100
GREEN:	Score is greater than or equal to 90
YELLOW:	Score is greater than or equal to 80
RED:	Score is greater than or equal to 0

System Information

Target Hostname:	IP-10-192-10-163.US-GOV-WEST-1.COMPUTE.INTERNAL
Operating System:	RedHat Variant
OS Version:	9.3
Domain:
FQDN:	IP-10-192-10-163.US-GOV-WEST-1.COMPUTE.INTERNAL.
Processor:	Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
Processor Architecture:	x86_64
Processor Speed:	2300 mhz
Physical Memory:	15725 mb
Manufacturer:	Xen
Model:	HVM domU
Serial Number:	ec29fc9e-e86c-82d5-1cc1-1c8fdbf96de9
BIOS Version:	4.11.amazon
Interfaces:	lo IP Addresses 127.0.0.1 MAC Address: 00:00:00:00:00:00 lo IP Addresses ::1/128 MAC Address: 00:00:00:00:00:00 eth0 IP Addresses 10.192.10.163 MAC Address: 06:a1:bf:48:bf:1a eth0 IP Addresses fe80::4a1:bfff:fe48:bf1a/64 MAC Address: 06:a1:bf:48:bf:1a

Content Information

Stream:

RHEL_9_STIG

Profile:

Id:	MAC-1_Classified

Digital Signature Status:

NOT DIGITALLY SIGNED

Stream Installation Date:

2024-01-16

Status:

draft (2023-09-13)

Title:

Red Hat Enterprise Linux 9 STIG SCAP Benchmark

Description:

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Notice:

Front-Matter:

Target Platforms:

xccdf_mil.disa.stig_platform_LinuxIPv6enabled

Reference:

Href:	https://cyber.mil
Publisher:	DISA
Source:	STIG.DOD.MIL

Stream Version:

001.000.001

Source OVAL Version:

5.11.2

Result OVAL Version:

5.11.2

Source OCIL Version:

Result OCIL Version:

Start Time:

2024-01-16T02:24:32

End Time:

2024-01-16T02:34:53

Scan Duration:

00:10:21

Scanner:

cpe:/a:niwc:scc:5.8

Identity:

root

Identity Privileged:

true

Identity Authenticated:

true

Release Info:

Release: 1.0.1 Benchmark Date: 4 Jan 2024

Results: High Severity (CAT I)

Automated Checks

V-257777 - RHEL 9 must be a vendor-supported release. - Pass
V-257784 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. - Fail
V-257820 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation. - Pass
V-257821 - RHEL 9 must check the GPG signature of locally installed software packages before installation. - Fail
V-257826 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed. - Pass
V-257955 - There must be no shosts.equiv files on RHEL 9. - Pass
V-257956 - There must be no .shosts files on RHEL 9. - Pass
V-257984 - RHEL 9 SSHD must not allow blank passwords. - Fail
V-257986 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. - Fail
V-258059 - The root account must be the only account having unrestricted access to RHEL 9 system. - Pass
V-258078 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services. - Fail
V-258094 - RHEL 9 must not allow blank or null passwords. - Fail
V-258230 - RHEL 9 must enable FIPS mode. - Fail

Manual Checks

Results: Medium Severity (CAT II)

Automated Checks

V-257781 - The graphical display manager must not be the default target on RHEL 9 unless approved. - Pass
V-257787 - RHEL 9 must require a boot loader superuser password. - Fail
V-257790 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. - Pass
V-257791 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root. - Pass
V-257797 - RHEL 9 must restrict access to the kernel message buffer. - Fail
V-257798 - RHEL 9 must prevent kernel profiling by nonprivileged users. - Fail
V-257799 - RHEL 9 must prevent the loading of a new kernel for later execution. - Fail
V-257802 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks. - Pass
V-257803 - RHEL 9 must disable the kernel.core_pattern. - Fail
V-257805 - RHEL 9 must be configured to disable the Controller Area Network kernel module. - Fail
V-257808 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. - Fail
V-257810 - RHEL 9 must disable access to network bpf system call from nonprivileged processes. - Fail
V-257811 - RHEL 9 must restrict usage of ptrace to descendant processes. - Fail
V-257813 - RHEL 9 must disable storing core dumps. - Fail
V-257814 - RHEL 9 must disable core dumps for all users. - Fail
V-257815 - RHEL 9 must disable acquiring, saving, and processing core dumps. - Fail
V-257816 - RHEL 9 must disable the use of user namespaces. - Fail
V-257827 - RHEL 9 must not have the sendmail package installed. - Pass
V-257828 - RHEL 9 must not have the nfs-utils package installed. - Pass
V-257830 - RHEL 9 must not have the rsh-server package installed. - Pass
V-257831 - RHEL 9 must not have the telnet-server package installed. - Pass
V-257833 - RHEL 9 must not have the iprutils package installed. - Pass
V-257834 - RHEL 9 must not have the tuned package installed. - Fail
V-257837 - A graphical display manager must not be installed on RHEL 9 unless approved. - Pass
V-257840 - RHEL 9 must have the nss-tools package installed. - Fail
V-257841 - RHEL 9 must have the rng-tools package installed. - Fail
V-257842 - RHEL 9 must have the s-nail package installed. - Fail
V-257849 - RHEL 9 file system automount function must be disabled unless required. - Pass
V-257850 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories. - Fail
V-257855 - RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). - Pass
V-257864 - RHEL 9 must mount /dev/shm with the noexec option. - Fail
V-257865 - RHEL 9 must mount /dev/shm with the nosuid option. - Pass
V-257867 - RHEL 9 must mount /tmp with the noexec option. - Fail
V-257873 - RHEL 9 must mount /var/log/audit with the nodev option. - Fail
V-257881 - RHEL 9 must prevent special devices on non-root local partitions. - Fail
V-257885 - RHEL 9 /var/log directory must have mode 0755 or less permissive. - Pass
V-257887 - RHEL 9 audit tools must have a mode of 0755 or less permissive. - Pass
V-257893 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. - Pass
V-257899 - RHEL 9 /etc/group file must be group-owned by root. - Pass
V-257917 - RHEL 9 /var/log/messages file must be group-owned by root. - Pass
V-257935 - RHEL 9 must have the firewalld package installed. - Fail
V-257943 - RHEL 9 must have the chrony package installed. - Pass
V-257969 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - Fail
V-257975 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. - Fail
V-257993 - RHEL 9 must not allow users to override SSH environment variables. - Fail
V-257995 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. - Fail
V-257999 - RHEL 9 SSH server configuration file must have mode 0600 or less permissive. - Pass
V-258007 - RHEL 9 SSH daemon must disable remote X connections for interactive users. - Fail
V-258082 - RHEL 9 policycoreutils-python-utils package must be installed. - Pass
V-258151 - RHEL 9 audit package must be installed. - Pass

Manual Checks

Results: Low Severity (CAT III)

Automated Checks

Manual Checks

Detailed Results: High Severity (CAT I)

V-257777 - RHEL 9 must be a vendor-supported release.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257777r925318_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-211010

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.

Fix Text:

Upgrade to a supported version of RHEL 9.

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257777
Result:	true
Title:	RHEL-09-211010 - RHEL 9 must be a vendor-supported release.
Description:	An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The RHEL 9 minor version is supported.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25777700 (textfilecontent54_test)
Result:	true
Title:	The RHEL 9 minor version is supported.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
State Operator:	One or more item-state comparisons may be true.
Object ID:	oval:mil.disa.stig.ind:obj:25777700 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc' filename must be equal to 'redhat-release' pattern must match the pattern '^\s*Red Hat Enterprise Linux release 9\.(\d+)' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'
State ID:	oval:mil.disa.stig.ind:ste:20000004 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '2'
State ID:	oval:mil.disa.stig.ind:ste:20000005 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '3'
Collected Item/State Result: [ true ]	filepath equals '/etc/redhat-release' path equals '/etc' filename equals 'redhat-release' pattern equals '^\s*Red Hat Enterprise Linux release 9\.(\d+)' instance equals '1' text equals 'Red Hat Enterprise Linux release 9.3' subexpression equals '3'

V-257784 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257784r925339_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-211045

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-002235 (NIST SP 800-53 Rev 4: AC-6 (10); NIST SP 800-53 Rev 5: AC-6 (10))

Description:

A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227

Fix Text:

Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file:

CtrlAltDelBurstAction=none

Reload the daemon for this change to take effect.

$ sudo systemctl daemon-reload

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257784
Result:	false
Title:	RHEL-09-211045 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
Description:	A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/etc/systemd/system.conf:CtrlAltDelBurstAction is set to none.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23053100 (textfilecontent54_test)
Result:	false
Title:	/etc/systemd/system.conf:CtrlAltDelBurstAction is set to none.
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23053100 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/systemd/system.conf' pattern must match the pattern '^\sCtrlAltDelBurstAction\s=\s(\S+)\s$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000014 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to 'none'
Additional Information:	Check existence requirement not met.

V-257820 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257820r925447_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-214015

Identities:

CCI-001749 (NIST SP 800-53 Rev 4: CM-5 (3))

Description:

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

All software packages must be signed with a cryptographic key recognized and approved by the organization.

Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.

Fix Text:

Configure dnf to always check the GPG signature of software packages originating from external software repositories before installation.

Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:

gpgcheck=1

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257820
Result:	true
Title:	RHEL-09-214015 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
Description:	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/etc/dnf/dnf.conf gpgcheck=1)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25782000 (textfilecontent54_test)
Result:	true
Title:	/etc/dnf/dnf.conf gpgcheck=1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25782000 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/dnf/dnf.conf' pattern must match the pattern '^gpgcheck=(.*)$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:25782000 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Collected Item/State Result: [ true ]	filepath equals '/etc/dnf/dnf.conf' path equals '/etc/dnf' filename equals 'dnf.conf' pattern equals '^gpgcheck=(.*)$' instance equals '1' text equals 'gpgcheck=1' subexpression equals '1'

V-257821 - RHEL 9 must check the GPG signature of locally installed software packages before installation.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257821r925450_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-214020

Identities:

CCI-001749 (NIST SP 800-53 Rev 4: CM-5 (3))

Description:

Fix Text:

Configure dnf to always check the GPG signature of local software packages before installation.

Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file:

localpkg_gpgcheck=1

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257821
Result:	false
Title:	RHEL-09-214020 - RHEL 9 must check the GPG signature of locally installed software packages before installation.
Description:	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/etc/dnf/dnf.conf: localpkg_gpgcheck is set to True, 1, or yes.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23026500 (textfilecontent54_test)
Result:	false
Title:	/etc/dnf/dnf.conf: localpkg_gpgcheck is set to True, 1, or yes.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23026500 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/dnf/dnf.conf' pattern must match the pattern '^\slocalpkg_gpgcheck\s=\s*(\w+)\b$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000021 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^(True\|1\|yes)$'
Additional Information:	Check existence requirement not met.

V-257826 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257826r925465_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215015

Identities:

CCI-000197 (NIST SP 800-53: IA-5 (1) (c); NIST SP 800-53A: IA-5 (1).1 (v); NIST SP 800-53 Rev 4: IA-5 (1) (c); NIST SP 800-53 Rev 5: IA-5 (1) (c))
CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.

Removing the "vsftpd" package decreases the risk of accidental activation.

Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227

Fix Text:

The ftp package can be removed with the following command (using vsftpd as an example):

$ sudo dnf remove vsftpd

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257826
Result:	true
Title:	RHEL-09-215015 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
Description:	The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. Removing the "vsftpd" package decreases the risk of accidental activation. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (No File Transfer Protocol (FTP) server packages are installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25782600 (rpminfo_test)
Result:	true
Title:	No File Transfer Protocol (FTP) server packages are installed
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25782600 (rpminfo_object)
Object Requirements:	name must match the pattern 'ftp'

V-257955 - There must be no shosts.equiv files on RHEL 9.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257955r925852_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-252070

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Fix Text:

Remove any found "shosts.equiv" files from the system.

$ sudo rm /[path]/[to]/[file]/shosts.equiv

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257955
Result:	true
Title:	RHEL-09-252070 - There must be no shosts.equiv files on RHEL 9.
Description:	The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (There must be no shosts.equiv files on the system.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23028300 (file_test)
Result:	true
Title:	There must be no shosts.equiv files on the system.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.unix:obj:23028300 (file_object)
Object Requirements:	behavior requirements: recurse = directories recurse_direction = down recurse_file_system = local path must be equal to '/' filename must be equal to 'shosts.equiv'

V-257956 - There must be no .shosts files on RHEL 9.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257956r925855_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-252075

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Fix Text:

Remove any found ".shosts" files from the system.

$ sudo rm /[path]/[to]/[file]/.shosts

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257956
Result:	true
Title:	RHEL-09-252075 - There must be no .shosts files on RHEL 9.
Description:	The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (There are no .shosts files on the system.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23028400 (file_test)
Result:	true
Title:	There are no .shosts files on the system.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.unix:obj:23028400 (file_object)
Object Requirements:	behavior requirements: recurse = directories recurse_direction = down recurse_file_system = local path must be equal to '/' filename must be equal to '.shosts'

V-257984 - RHEL 9 SSHD must not allow blank passwords.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257984r925939_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-255040

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000766 (NIST SP 800-53: IA-2 (2); NIST SP 800-53A: IA-2 (2).1; NIST SP 800-53 Rev 4: IA-2 (2); NIST SP 800-53 Rev 5: IA-2 (2))

Description:

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227

Fix Text:

To configure the system to prevent SSH users from logging on with blank passwords edit the following line in "etc/ssh/sshd_config":

PermitEmptyPasswords no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257984
Result:	false
Title:	RHEL-09-255040 - RHEL 9 SSHD must not allow blank passwords.
Description:	If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (The PermitEmptyPasswords option is set to no in /etc/ssh/sshd_config.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25798400 (textfilecontent54_test)
Result:	false
Title:	The PermitEmptyPasswords option is set to no in /etc/ssh/sshd_config.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25798400 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/ssh/sshd_config' pattern must match the pattern '^(?i)\s*PermitEmptyPasswords\s+(\w+)$' instance must be equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000017 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^(no\|"no")$'
Additional Information:	Check existence requirement not met.

V-257986 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257986r925945_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-255050

Identities:

CCI-000877 (NIST SP 800-53: MA-4 c; NIST SP 800-53A: MA-4.1 (iv); NIST SP 800-53 Rev 4: MA-4 c; NIST SP 800-53 Rev 5: MA-4 c)

Description:

When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.

Fix Text:

Configure the RHEL 9 SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config".

UsePAM yes

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257986
Result:	false
Title:	RHEL-09-255050 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
Description:	When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (UsePAM is set to yes in /etc/ssh/sshd_config.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25798600 (textfilecontent54_test)
Result:	false
Title:	UsePAM is set to yes in /etc/ssh/sshd_config.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25798600 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/ssh/sshd_config' pattern must match the pattern '^\sUsePAM\s+(\w)' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000023 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to 'yes'
Additional Information:	Check existence requirement not met.

V-258059 - The root account must be the only account having unrestricted access to RHEL 9 system.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258059r926164_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-411100

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Fix Text:

Change the UID of any account on the system, other than root, that has a UID of "0".

If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258059
Result:	true
Title:	RHEL-09-411100 - The root account must be the only account having unrestricted access to RHEL 9 system.
Description:	An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (Only the root account has a UID of zero.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23053400 (password_test)
Result:	true
Title:	Only the root account has a UID of zero.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23053400 (password_object)
Object Requirements:	username must not be equal to 'root'
State ID:	oval:mil.disa.stig.unix:ste:23053400 (password_state)
State Requirements:	check_existence = 'at_least_one_exists', user_id must not be equal to '0'
Collected Item/State Result: [ true ]	username equals 'adm' password equals [MASKED PASSWORD FIELD] user_id equals '3' group_id equals '4' gcos equals 'adm' home_dir equals '/var/adm' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'apache' password equals [MASKED PASSWORD FIELD] user_id equals '48' group_id equals '48' gcos equals 'Apache' home_dir equals '/usr/share/httpd' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'battletroll' password equals [MASKED PASSWORD FIELD] user_id equals '1001' group_id equals '1001' gcos equals '' home_dir equals '/home/battletroll' login_shell equals '/bin/bash' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'bin' password equals [MASKED PASSWORD FIELD] user_id equals '1' group_id equals '1' gcos equals 'bin' home_dir equals '/bin' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'chrony' password equals [MASKED PASSWORD FIELD] user_id equals '996' group_id equals '993' gcos equals 'chrony system user' home_dir equals '/var/lib/chrony' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'daemon' password equals [MASKED PASSWORD FIELD] user_id equals '2' group_id equals '2' gcos equals 'daemon' home_dir equals '/sbin' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'david.noever' password equals [MASKED PASSWORD FIELD] user_id equals '1002' group_id equals '1002' gcos equals '' home_dir equals '/home/david.noever' login_shell equals '/bin/bash' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'dbus' password equals [MASKED PASSWORD FIELD] user_id equals '81' group_id equals '81' gcos equals 'System message bus' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'ec2-user' password equals [MASKED PASSWORD FIELD] user_id equals '1000' group_id equals '1000' gcos equals 'Cloud User' home_dir equals '/home/ec2-user' login_shell equals '/bin/bash' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'ftp' password equals [MASKED PASSWORD FIELD] user_id equals '14' group_id equals '50' gcos equals 'FTP User' home_dir equals '/var/ftp' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'games' password equals [MASKED PASSWORD FIELD] user_id equals '12' group_id equals '100' gcos equals 'games' home_dir equals '/usr/games' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'halt' password equals [MASKED PASSWORD FIELD] user_id equals '7' group_id equals '0' gcos equals 'halt' home_dir equals '/sbin' login_shell equals '/sbin/halt' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'lp' password equals [MASKED PASSWORD FIELD] user_id equals '4' group_id equals '7' gcos equals 'lp' home_dir equals '/var/spool/lpd' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'mail' password equals [MASKED PASSWORD FIELD] user_id equals '8' group_id equals '12' gcos equals 'mail' home_dir equals '/var/spool/mail' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'nginx' password equals [MASKED PASSWORD FIELD] user_id equals '990' group_id equals '990' gcos equals 'Nginx web server' home_dir equals '/var/lib/nginx' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'nobody' password equals [MASKED PASSWORD FIELD] user_id equals '65534' group_id equals '65534' gcos equals 'Kernel Overflow User' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'operator' password equals [MASKED PASSWORD FIELD] user_id equals '11' group_id equals '0' gcos equals 'operator' home_dir equals '/root' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'polkitd' password equals [MASKED PASSWORD FIELD] user_id equals '998' group_id equals '996' gcos equals 'User for polkitd' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'shutdown' password equals [MASKED PASSWORD FIELD] user_id equals '6' group_id equals '0' gcos equals 'shutdown' home_dir equals '/sbin' login_shell equals '/sbin/shutdown' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'sshd' password equals [MASKED PASSWORD FIELD] user_id equals '74' group_id equals '74' gcos equals 'Privilege-separated SSH' home_dir equals '/usr/share/empty.sshd' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'sssd' password equals [MASKED PASSWORD FIELD] user_id equals '997' group_id equals '994' gcos equals 'User for sssd' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'sync' password equals [MASKED PASSWORD FIELD] user_id equals '5' group_id equals '0' gcos equals 'sync' home_dir equals '/sbin' login_shell equals '/bin/sync' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'systemd-coredump' password equals [MASKED PASSWORD FIELD] user_id equals '999' group_id equals '997' gcos equals 'systemd Core Dumper' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'systemd-oom' password equals [MASKED PASSWORD FIELD] user_id equals '991' group_id equals '991' gcos equals 'systemd Userspace OOM Killer' home_dir equals '/' login_shell equals '/usr/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'tcpdump' password equals [MASKED PASSWORD FIELD] user_id equals '72' group_id equals '72' gcos equals '' home_dir equals '/' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'tss' password equals [MASKED PASSWORD FIELD] user_id equals '59' group_id equals '59' gcos equals 'Account used for TPM access' home_dir equals '/dev/null' login_shell equals '/sbin/nologin' last_login equals '0'
Collected Item/State Result: [ true ]	username equals 'tyson' password equals [MASKED PASSWORD FIELD] user_id equals '1003' group_id equals '1003' gcos equals 'Tyson' home_dir equals '/home/tyson' login_shell equals '/bin/bash' last_login equals '0'

V-258078 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258078r926221_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-431010

Identities:

CCI-001084 (NIST SP 800-53: SC-3; NIST SP 800-53A: SC-3.1 (ii); NIST SP 800-53 Rev 4: SC-3; NIST SP 800-53 Rev 5: SC-3)
CCI-002696 (NIST SP 800-53 Rev 4: SI-6 a; NIST SP 800-53 Rev 5: SI-6 a)

Description:

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068

Fix Text:

Configure RHEL 9 to verify correct operation of security functions.

Edit the file "/etc/selinux/config" and add or modify the following line:

SELINUX=enforcing

A reboot is required for the changes to take effect.

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258078
Result:	false
Title:	RHEL-09-431010 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
Description:	Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) true (selinux is active) false (selinux is enforcing) true (/etc/selinux/config:SELINUX=enforcing)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23024000 (partition_test)
Result:	true
Title:	selinux is active
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23024000 (partition_object)
Object Requirements:	mount_point must be equal to '/sys/fs/selinux'
State ID:	oval:mil.disa.stig.linux:ste:23024000 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', fs_type must be equal to 'selinuxfs'
Collected Item/State Result: [ true ]	Message - 'device' mount_point equals '/sys/fs/selinux' device equals 'selinuxfs' uuid does not exist fs_type equals 'selinuxfs' mount_options equals 'rw' mount_options equals 'nosuid' mount_options equals 'noexec' mount_options equals 'relatime' mount_options equals '4106' total_space does not exist space_used does not exist space_left does not exist space_left_for_unprivileged_users does not exist block_size equals '4096'

Test ID:	oval:mil.disa.stig.ind:tst:23024000 (textfilecontent54_test)
Result:	false
Title:	selinux is enforcing
Check Existence:	One and only one collected item may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23024000 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/sys/fs/selinux/enforce' pattern must match the pattern '^(\d+)$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23024000 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must not be equal to '0'
Collected Item/State Result: [ false ]	filepath equals '/sys/fs/selinux/enforce' path equals '/sys/fs/selinux' filename equals 'enforce' pattern equals '^(\d+)$' instance equals '1' text equals '0' subexpression equals '0'
Additional Information:	Check requirement not met. subexpression

Test ID:	oval:mil.disa.stig.ind:tst:23024001 (textfilecontent54_test)
Result:	true
Title:	/etc/selinux/config:SELINUX=enforcing
Check Existence:	One and only one collected item may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23024001 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/selinux/config' pattern must match the pattern '^SELINUX=(.)\s$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23024001 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to 'enforcing'
Collected Item/State Result: [ true ]	filepath equals '/etc/selinux/config' path equals '/etc/selinux' filename equals 'config' pattern equals '^SELINUX=(.)\s$' instance equals '1' text equals 'SELINUX=enforcing' subexpression equals 'enforcing'

V-258094 - RHEL 9 must not allow blank or null passwords.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258094r926269_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-611025

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Fix Text:

Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to prevent logons with empty passwords.

Note: Manual changes to the listed file may be overwritten by the "authselect" program.

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258094
Result:	false
Title:	RHEL-09-611025 - RHEL 9 must not allow blank or null passwords.
Description:	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (There are no instances of nullok in /etc/pam.d/system-auth.) false (All child checks must be true.) false (There are no instances of nullok in /etc/pam.d/password-auth.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:24454000 (textfilecontent54_test)
Result:	false
Title:	There are no instances of nullok in /etc/pam.d/system-auth.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:24454000 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/pam.d/system-auth' pattern must match the pattern '\bnullok\b' instance must be greater than or equal to '1'
Collected Item/State Result: [ not evaluated ]	filepath equals '/etc/pam.d/system-auth' path equals '/etc/pam.d' filename equals 'system-auth' pattern equals '\bnullok\b' instance equals '1' text equals 'nullok' subexpression does not exist
Collected Item/State Result: [ not evaluated ]	filepath equals '/etc/pam.d/system-auth' path equals '/etc/pam.d' filename equals 'system-auth' pattern equals '\bnullok\b' instance equals '2' text equals 'nullok' subexpression does not exist
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.ind:tst:24454100 (textfilecontent54_test)
Result:	false
Title:	There are no instances of nullok in /etc/pam.d/password-auth.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:24454100 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/pam.d/password-auth' pattern must match the pattern '\bnullok\b' instance must be greater than or equal to '1'
Collected Item/State Result: [ not evaluated ]	filepath equals '/etc/pam.d/password-auth' path equals '/etc/pam.d' filename equals 'password-auth' pattern equals '\bnullok\b' instance equals '1' text equals 'nullok' subexpression does not exist
Collected Item/State Result: [ not evaluated ]	filepath equals '/etc/pam.d/password-auth' path equals '/etc/pam.d' filename equals 'password-auth' pattern equals '\bnullok\b' instance equals '2' text equals 'nullok' subexpression does not exist
Additional Information:	Check existence requirement not met.

V-258230 - RHEL 9 must enable FIPS mode.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258230r926677_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-671010

Identities:

CCI-000068 (NIST SP 800-53: AC-17 (2); NIST SP 800-53A: AC-17 (2).1; NIST SP 800-53 Rev 4: AC-17 (2); NIST SP 800-53 Rev 5: AC-17 (2))
CCI-000877 (NIST SP 800-53: MA-4 c; NIST SP 800-53A: MA-4.1 (iv); NIST SP 800-53 Rev 4: MA-4 c; NIST SP 800-53 Rev 5: MA-4 c)
CCI-002418 (NIST SP 800-53 Rev 4: SC-8; NIST SP 800-53 Rev 5: SC-8)
CCI-002450 (NIST SP 800-53 Rev 4: SC-13; NIST SP 800-53 Rev 5: SC-13 b)

Description:

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223

Fix Text:

Configure the operating system to implement FIPS mode with the following command

$ sudo fips-mode-setup --enable

Reboot the system for the changes to take effect.

Severity:

high

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258230
Result:	false
Title:	RHEL-09-672582300 - RHEL 9 must enable FIPS mode.
Description:	Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (fips_enabled == 1)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25823000 (textfilecontent54_test)
Result:	false
Title:	fips_enabled == 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25823000 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/proc/sys/crypto/fips_enabled' pattern must match the pattern '^(\d+)$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Collected Item/State Result: [ false ]	filepath equals '/proc/sys/crypto/fips_enabled' path equals '/proc/sys/crypto' filename equals 'fips_enabled' pattern equals '^(\d+)$' instance equals '1' text equals '0' subexpression equals '0'
Additional Information:	Check requirement not met. subexpression

Detailed Results: Medium Severity (CAT II)

V-257781 - The graphical display manager must not be the default target on RHEL 9 unless approved.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257781r925330_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-211030

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.

Fix Text:

Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command:

$ sudo systemctl set-default multi-user.target

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257781
Result:	true
Title:	RHEL-09-211030 - The graphical display manager must not be the default target on RHEL 9 unless approved.
Description:	Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (default.target is symlinked to multi-user.target)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25171800 (symlink_test)
Result:	true
Title:	default.target is symlinked to multi-user.target
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25171800 (symlink_object)
Object Requirements:	filepath must be equal to '/etc/systemd/system/default.target'
State ID:	oval:mil.disa.stig.unix:ste:25171800 (symlink_state)
State Requirements:	check_existence = 'at_least_one_exists', canonical_path must match the pattern '[\S]*\/multi\-user\.target$'
Collected Item/State Result: [ true ]	filepath equals '/etc/systemd/system/default.target' canonical_path equals '/usr/lib/systemd/system/multi-user.target'

V-257787 - RHEL 9 must require a boot loader superuser password.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257787r925348_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-212010

Identities:

CCI-000213 (NIST SP 800-53: AC-3; NIST SP 800-53A: AC-3.1; NIST SP 800-53 Rev 4: AC-3; NIST SP 800-53 Rev 5: AC-3)

Description:

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Fix Text:

Configure RHEL 9 to require a grub bootloader password for the grub superuser account.

Generate an encrypted grub2 password for the grub superuser account with the following command:

$ sudo grub2-setpassword
Enter password:
Confirm password:

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257787
Result:	false
Title:	RHEL-09-212010 - RHEL 9 must require a boot loader superuser password.
Description:	To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) true (/etc/grub2.cfg:superusers exists and has a name.) false (/boot/grub2/user.cfg:GRUB2_PASSWORD exists and has a PBKDF2/SHA512 password assigned.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:25778700 (textfilecontent54_test)
Result:	true
Title:	/etc/grub2.cfg:superusers exists and has a name.
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25778700 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/grub2.cfg' pattern must match the pattern '^\sset\s+superusers\s=\s"(\S+)"\s$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:25778700 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^\S+$'
Collected Item/State Result: [ true ]	filepath equals '/etc/grub2.cfg' path equals '/etc' filename equals 'grub2.cfg' pattern equals '^\sset\s+superusers\s=\s"(\S+)"\s$' instance equals '1' text equals ' set superusers="root"' subexpression equals 'root'

Test ID:	oval:mil.disa.stig.ind:tst:25778701 (textfilecontent54_test)
Result:	false
Title:	/boot/grub2/user.cfg:GRUB2_PASSWORD exists and has a PBKDF2/SHA512 password assigned.
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25778701 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/boot/grub2/user.cfg' pattern must match the pattern '^\s*GRUB2_PASSWORD=(\S+)\b' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:25778701 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^grub\.pbkdf2\.sha512\.'
Additional Information:	Check existence requirement not met.

V-257790 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257790r925357_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-212025

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Fix Text:

Change the group of the file /boot/grub2/grub.cfg to root by running the following command:

$ sudo chgrp root /boot/grub2/grub.cfg

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257790
Result:	true
Title:	RHEL-09-212025 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
Description:	The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/boot/grub2/grub.cfg file is owned by root)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25779000 (file_test)
Result:	true
Title:	/boot/grub2/grub.cfg file is owned by root
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25779000 (file_object)
Object Requirements:	filepath must be equal to '/boot/grub2/grub.cfg'
State ID:	oval:mil.disa.stig.unix:ste:20000006 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', group_id must be equal to '0'
Collected Item/State Result: [ true ]	filepath equals '/boot/grub2/grub.cfg' path equals '/boot/grub2' filename equals 'grub.cfg' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1705371872' c_time equals '1702931318' m_time equals '1702931318' size equals '9359' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '0' gwrite equals '0' gexec equals '0' oread equals '0' owrite equals '0' oexec equals '0'

V-257791 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257791r925360_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-212030

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.

Fix Text:

Change the owner of the file /boot/grub2/grub.cfg to root by running the following command:

$ sudo chown root /boot/grub2/grub.cfg

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257791
Result:	true
Title:	RHEL-09-212030 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
Description:	The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/boot/grub2/grub.cfg file is owned by root)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25779100 (file_test)
Result:	true
Title:	/boot/grub2/grub.cfg file is owned by root
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25779100 (file_object)
Object Requirements:	filepath must be equal to '/boot/grub2/grub.cfg'
State ID:	oval:mil.disa.stig.unix:ste:20000005 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', user_id must be equal to '0'
Collected Item/State Result: [ true ]	filepath equals '/boot/grub2/grub.cfg' path equals '/boot/grub2' filename equals 'grub.cfg' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1705371872' c_time equals '1702931318' m_time equals '1702931318' size equals '9359' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '0' gwrite equals '0' gexec equals '0' oread equals '0' owrite equals '0' oexec equals '0'

V-257797 - RHEL 9 must restrict access to the kernel message buffer.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257797r925378_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213010

Identities:

CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2)
CCI-001090 (NIST SP 800-53: SC-4; NIST SP 800-53A: SC-4.1; NIST SP 800-53 Rev 4: SC-4; NIST SP 800-53 Rev 5: SC-4)

Description:

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.

This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.

There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.

Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.

Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069

Fix Text:

Configure RHEL 9 to restrict access to the kernel message buffer.

Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:

kernel.dmesg_restrict = 1

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257797
Result:	false
Title:	RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer.
Description:	Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (One or more child checks must be true.) false (All child checks must be true.) true (kernel.dmesg_restrict setting in admin sysctl configuration files is missing) false (kernel.dmesg_restrict setting in system sysctl configuration files is set to 1) false (kernel.dmesg_restrict setting in admin sysctl configuration files is set to 1) false (kernel.dmesg_restrict setting in kernel is set to 1)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23026901 (textfilecontent54_test)
Result:	true
Title:	kernel.dmesg_restrict setting in admin sysctl configuration files is missing
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23026900 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.dmesg_restrict\s=\s(\d+)\s*$' instance must be greater than or equal to '1'

Test ID:	oval:mil.disa.stig.ind:tst:23026902 (textfilecontent54_test)
Result:	false
Title:	kernel.dmesg_restrict setting in system sysctl configuration files is set to 1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23026901 (textfilecontent54_object)
Object Requirements:	for path, at least one of the following must be true: path must be equal to '/run/sysctl.d' path must be equal to '/lib/sysctl.d' path must be equal to '/usr/lib/sysctl.d' path must be equal to '/usr/local/lib/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.dmesg_restrict\s=\s(\d+)\s*$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23026900 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.ind:tst:23026900 (textfilecontent54_test)
Result:	false
Title:	kernel.dmesg_restrict setting in admin sysctl configuration files is set to 1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23026900 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.dmesg_restrict\s=\s(\d+)\s*$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23026900 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.unix:tst:23026900 (sysctl_test)
Result:	false
Title:	kernel.dmesg_restrict setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23026900 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.dmesg_restrict'
State ID:	oval:mil.disa.stig.unix:ste:23026900 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '1'
Collected Item/State Result: [ false ]	name equals 'kernel.dmesg_restrict' value equals '0'
Additional Information:	Check requirement not met. value

V-257798 - RHEL 9 must prevent kernel profiling by nonprivileged users.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257798r925381_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213015

Identities:

Description:

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.

This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.

There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.

Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.

Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069

Fix Text:

Configure RHEL 9 to prevent kernel profiling by nonprivileged users.

Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:

kernel.perf_event_paranoid = 2

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257798
Result:	false
Title:	RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users.
Description:	Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) true (kernel.perf_event_paranoid setting in kernel is set to 2) false (kernel.perf_event_paranoid setting in /etc/sysctl.d/99-*.conf is set to 2, and nothing else, and there are no conflicting settings in other files)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23027000 (sysctl_test)
Result:	true
Title:	kernel.perf_event_paranoid setting in kernel is set to 2
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23027000 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.perf_event_paranoid'
State ID:	oval:mil.disa.stig.unix:ste:20000011 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '2'
Collected Item/State Result: [ true ]	name equals 'kernel.perf_event_paranoid' value equals '2'

Test ID:	oval:mil.disa.stig.ind:tst:23027001 (textfilecontent54_test)
Result:	false
Title:	kernel.perf_event_paranoid setting in /etc/sysctl.d/99-*.conf is set to 2, and nothing else, and there are no conflicting settings in other files
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23027003 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000004 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '2'
Additional Information:	Check existence requirement not met.

V-257799 - RHEL 9 must prevent the loading of a new kernel for later execution.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257799r925384_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213020

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-001749 (NIST SP 800-53 Rev 4: CM-5 (3))

Description:

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.

Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153

Fix Text:

Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:

kernel.kexec_load_disabled = 1

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257799
Result:	false
Title:	RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution.
Description:	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (kernel.kexec_load_disabled setting in kernel is set to 1) false (kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23026600 (sysctl_test)
Result:	false
Title:	kernel.kexec_load_disabled setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23026600 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.kexec_load_disabled'
State ID:	oval:mil.disa.stig.unix:ste:20000010 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '1'
Collected Item/State Result: [ false ]	name equals 'kernel.kexec_load_disabled' value equals '0'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23026601 (textfilecontent54_test)
Result:	false
Title:	kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23026603 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Additional Information:	Check existence requirement not met.

V-257802 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257802r925393_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-213035

Identities:

CCI-002165 (NIST SP 800-53 Rev 4: AC-3 (4); NIST SP 800-53 Rev 5: AC-3 (4))
CCI-002235 (NIST SP 800-53 Rev 4: AC-6 (10); NIST SP 800-53 Rev 5: AC-6 (10))

Description:

By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125

Fix Text:

Configure RHEL 9 to enable DAC on symlinks with the following:

Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:

fs.protected_symlinks = 1

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257802
Result:	true
Title:	RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
Description:	By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (fs.protected_symlinks setting in kernel is set to 1) true (fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23026700 (sysctl_test)
Result:	true
Title:	fs.protected_symlinks setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23026700 (sysctl_object)
Object Requirements:	name must be equal to 'fs.protected_symlinks'
State ID:	oval:mil.disa.stig.unix:ste:20000010 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '1'
Collected Item/State Result: [ true ]	name equals 'fs.protected_symlinks' value equals '1'

Test ID:	oval:mil.disa.stig.ind:tst:23026701 (textfilecontent54_test)
Result:	true
Title:	fs.protected_symlinks setting in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23026703 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Collected Item/State Result: [ true ]	filepath equals '/usr/lib/sysctl.d/50-default.conf' path equals '/usr/lib/sysctl.d' filename equals '50-default.conf' pattern equals '(?:^\|\.\n)\sfs\.protected_symlinks\s=\s(\d+)\s*$' instance equals '1' text equals ' fs.protected_symlinks = 1 ' subexpression equals '1'
Collected Item/State Result: [ true ]	filepath equals '/lib/sysctl.d/50-default.conf' path equals '/lib/sysctl.d' filename equals '50-default.conf' pattern equals '(?:^\|\.\n)\sfs\.protected_symlinks\s=\s(\d+)\s*$' instance equals '1' text equals ' fs.protected_symlinks = 1 ' subexpression equals '1'

V-257803 - RHEL 9 must disable the kernel.core_pattern.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257803r925396_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213040

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Fix Text:

Configure RHEL 9 to disable storing core dumps.

Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:

kernel.core_pattern = |/bin/false

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257803
Result:	false
Title:	RHEL-09-213040 - RHEL 9 must disable the kernel.core_pattern.
Description:	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (One or more child checks must be true.) false (All child checks must be true.) true (kernel.core_pattern setting in admin sysctl configuration files is missing) false (kernel.core_pattern setting in system sysctl configuration files is set to 1) false (kernel.core_pattern setting in admin sysctl configuration files is set to 1) false (kernel.core_pattern setting in kernel is set to 1)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23031101 (textfilecontent54_test)
Result:	true
Title:	kernel.core_pattern setting in admin sysctl configuration files is missing
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23031100 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.core_pattern\s=\s(.+)\s*$' instance must be greater than or equal to '1'

Test ID:	oval:mil.disa.stig.ind:tst:23031102 (textfilecontent54_test)
Result:	false
Title:	kernel.core_pattern setting in system sysctl configuration files is set to 1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23031101 (textfilecontent54_object)
Object Requirements:	for path, at least one of the following must be true: path must be equal to '/run/sysctl.d' path must be equal to '/lib/sysctl.d' path must be equal to '/usr/lib/sysctl.d' path must be equal to '/usr/local/lib/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.core_pattern\s=\s(.+)\s*$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23031100 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '\|/bin/false'
Collected Item/State Result: [ false ]	filepath equals '/lib/sysctl.d/50-coredump.conf' path equals '/lib/sysctl.d' filename equals '50-coredump.conf' pattern equals '^\skernel\.core_pattern\s=\s(.+)\s$' instance equals '1' text equals 'kernel.core_pattern=\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h ' subexpression equals '\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
Collected Item/State Result: [ false ]	filepath equals '/usr/lib/sysctl.d/50-coredump.conf' path equals '/usr/lib/sysctl.d' filename equals '50-coredump.conf' pattern equals '^\skernel\.core_pattern\s=\s(.+)\s$' instance equals '1' text equals 'kernel.core_pattern=\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h ' subexpression equals '\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
Additional Information:	Check requirement not met. subexpression subexpression

Test ID:	oval:mil.disa.stig.ind:tst:23031100 (textfilecontent54_test)
Result:	false
Title:	kernel.core_pattern setting in admin sysctl configuration files is set to 1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23031100 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/sysctl.d' filename must match the pattern '^.\.conf$' pattern must match the pattern '^\skernel\.core_pattern\s=\s(.+)\s*$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23031100 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '\|/bin/false'
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.unix:tst:23031100 (sysctl_test)
Result:	false
Title:	kernel.core_pattern setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23031100 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.core_pattern'
State ID:	oval:mil.disa.stig.unix:ste:23031100 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '\|/bin/false'
Collected Item/State Result: [ false ]	name equals 'kernel.core_pattern' value equals '\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
Additional Information:	Check requirement not met. value

V-257805 - RHEL 9 must be configured to disable the Controller Area Network kernel module.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257805r925402_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213050

Identities:

CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.

Fix Text:

To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf (or create atm.conf if it does not exist):

install can /bin/false
blacklist can

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257805
Result:	false
Title:	RHEL-09-213050 - RHEL 9 must be configured to disable the Controller Area Network kernel module.
Description:	Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/etc/modprobe.d contains a file that contains 'blacklist can')

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23049501 (textfilecontent54_test)
Result:	false
Title:	/etc/modprobe.d contains a file that contains 'blacklist can'
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23049501 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/modprobe.d' filename must match the pattern '.' pattern must match the pattern '^[ \t]blacklist[ \t]+can[ \t]*$' instance must be greater than or equal to '1'
Additional Information:	Check existence requirement not met.

V-257808 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257808r925411_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213065

Identities:

CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Failing to disconnect unused protocols can result in a system compromise.

The Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Fix Text:

To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):

install tipc /bin/false
blacklist tipc

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257808
Result:	false
Title:	RHEL-09-213065 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
Description:	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. The Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/etc/modprobe.d contains a file that contains 'install tipc /bin/true') false (/etc/modprobe.d contains a file that contains 'blacklist tipc')

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23049700 (textfilecontent54_test)
Result:	false
Title:	/etc/modprobe.d contains a file that contains 'install tipc /bin/true'
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23049700 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/modprobe.d' filename must match the pattern '.' pattern must match the pattern '^[ \t]install[ \t]+tipc[ \t]+/bin/true[ \t]*$' instance must be greater than or equal to '1'
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.ind:tst:23049701 (textfilecontent54_test)
Result:	false
Title:	/etc/modprobe.d contains a file that contains 'blacklist tipc'
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23049701 (textfilecontent54_object)
Object Requirements:	path must be equal to '/etc/modprobe.d' filename must match the pattern '.' pattern must match the pattern '^[ \t]blacklist[ \t]+tipc[ \t]*$' instance must be greater than or equal to '1'
Additional Information:	Check existence requirement not met.

V-257810 - RHEL 9 must disable access to network bpf system call from nonprivileged processes.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257810r925417_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213075

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2)

Description:

Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.

Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227

Fix Text:

Configure RHEL 9 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:

kernel.unprivileged_bpf_disabled = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257810
Result:	false
Title:	RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes.
Description:	Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (kernel.unprivileged_bpf_disabled setting in kernel is set to 1) false (kernel.unprivileged_bpf_disabled is set to 1, and nothing else, and there are no conflicting settings in other files)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23054500 (sysctl_test)
Result:	false
Title:	kernel.unprivileged_bpf_disabled setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23054500 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.unprivileged_bpf_disabled'
State ID:	oval:mil.disa.stig.unix:ste:20000010 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '1'
Collected Item/State Result: [ false ]	name equals 'kernel.unprivileged_bpf_disabled' value equals '2'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23054501 (textfilecontent54_test)
Result:	false
Title:	kernel.unprivileged_bpf_disabled is set to 1, and nothing else, and there are no conflicting settings in other files
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23054501 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Additional Information:	Check existence requirement not met.

V-257811 - RHEL 9 must restrict usage of ptrace to descendant processes.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257811r925420_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213080

Identities:

Description:

Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).

Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227

Fix Text:

Configure RHEL 9 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory:

kernel.yama.ptrace_scope = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257811
Result:	false
Title:	RHEL-09-213080 - RHEL 9 must restrict usage of ptrace to descendant processes.
Description:	Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing). Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (kernel.yama.ptrace_scope setting in kernel is set to 1) false (kernel.yama.ptrace_scope in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23054600 (sysctl_test)
Result:	false
Title:	kernel.yama.ptrace_scope setting in kernel is set to 1
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23054600 (sysctl_object)
Object Requirements:	name must be equal to 'kernel.yama.ptrace_scope'
State ID:	oval:mil.disa.stig.unix:ste:20000010 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '1'
Collected Item/State Result: [ false ]	name equals 'kernel.yama.ptrace_scope' value equals '0'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23054601 (textfilecontent54_test)
Result:	false
Title:	kernel.yama.ptrace_scope in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23054603 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Collected Item/State Result: [ false ]	filepath equals '/lib/sysctl.d/10-default-yama-scope.conf' path equals '/lib/sysctl.d' filename equals '10-default-yama-scope.conf' pattern equals '(?:^\|\.\n)\skernel\.yama\.ptrace_scope\s=\s(\d+)\s*$' instance equals '1' text equals ' kernel.yama.ptrace_scope = 0 ' subexpression equals '0'
Collected Item/State Result: [ false ]	filepath equals '/usr/lib/sysctl.d/10-default-yama-scope.conf' path equals '/usr/lib/sysctl.d' filename equals '10-default-yama-scope.conf' pattern equals '(?:^\|\.\n)\skernel\.yama\.ptrace_scope\s=\s(\d+)\s*$' instance equals '1' text equals ' kernel.yama.ptrace_scope = 0 ' subexpression equals '0'
Additional Information:	Check requirement not met. subexpression subexpression

V-257813 - RHEL 9 must disable storing core dumps.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257813r925426_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213090

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.

Fix Text:

Configure the operating system to disable storing core dumps for all users.

Add or modify the following line in /etc/systemd/coredump.conf:

Storage=none

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257813
Result:	false
Title:	RHEL-09-213090 - RHEL 9 must disable storing core dumps.
Description:	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/usr/systemd/coredump.conf:Storage is set to none.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23031400 (textfilecontent54_test)
Result:	false
Title:	/usr/systemd/coredump.conf:Storage is set to none.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23031400 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/systemd/coredump.conf' pattern must match the pattern '^\sStorage\s=\s(\w)\s(?:#.)?$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000014 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to 'none'
Additional Information:	Check existence requirement not met.

V-257814 - RHEL 9 must disable core dumps for all users.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257814r925429_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213095

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Fix Text:

Configure the operating system to disable core dumps for all users.

Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:

* hard core 0

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257814
Result:	false
Title:	RHEL-09-213095 - RHEL 9 must disable core dumps for all users.
Description:	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (For the global domain, core is set to 0.) true (If core is set for any specific domains, it is set to 0.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23031300 (textfilecontent54_test)
Result:	false
Title:	For the global domain, core is set to 0.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23031300 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:23031300 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.ind:tst:23031301 (textfilecontent54_test)
Result:	true
Title:	If core is set for any specific domains, it is set to 0.
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23031301 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:23031300 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'

V-257815 - RHEL 9 must disable acquiring, saving, and processing core dumps.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257815r925432_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213100

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Fix Text:

Configure the system to disable the systemd-coredump.socket with the following command:

$ sudo systemctl mask --now systemd-coredump.socket

Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null

Reload the daemon for this change to take effect.

$ sudo systemctl daemon-reload

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257815
Result:	false
Title:	RHEL-09-213100 - RHEL 9 must disable acquiring, saving, and processing core dumps.
Description:	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (systemd-coredump.socket LoadState is masked if exists) false (systemd-coredump.socket UnitFileState is masked if exists)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23031200 (systemdunitproperty_test)
Result:	false
Title:	systemd-coredump.socket LoadState is masked if exists
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23031200 (systemdunitproperty_object)
Object Requirements:	unit must be equal to 'systemd-coredump.socket' property must be equal to 'LoadState'
State ID:	oval:mil.disa.stig.linux:ste:23031200 (systemdunitproperty_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to 'masked'
Collected Item/State Result: [ false ]	unit equals 'systemd-coredump.socket' property equals 'LoadState' value equals 'loaded'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.linux:tst:23031201 (systemdunitproperty_test)
Result:	false
Title:	systemd-coredump.socket UnitFileState is masked if exists
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23031201 (systemdunitproperty_object)
Object Requirements:	unit must be equal to 'systemd-coredump.socket' property must be equal to 'UnitFileState'
State ID:	oval:mil.disa.stig.linux:ste:23031201 (systemdunitproperty_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to 'masked'
Collected Item/State Result: [ false ]	unit equals 'systemd-coredump.socket' property equals 'UnitFileState' value equals 'static'
Additional Information:	Check requirement not met. value

V-257816 - RHEL 9 must disable the use of user namespaces.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257816r925435_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-213105

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.

Fix Text:

Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:

Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable.

user.max_user_namespaces = 0

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257816
Result:	false
Title:	RHEL-09-213105 - RHEL 9 must disable the use of user namespaces.
Description:	User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (user.max_user_namespaces is set to 0 in kernel) false (user.max_user_namespaces is set to 0 in the sysctl configuration files.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23054800 (sysctl_test)
Result:	false
Title:	user.max_user_namespaces is set to 0 in kernel
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23054800 (sysctl_object)
Object Requirements:	name must be equal to 'user.max_user_namespaces'
State ID:	oval:mil.disa.stig.unix:ste:20000009 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '0'
Collected Item/State Result: [ false ]	name equals 'user.max_user_namespaces' value equals '62543'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23054801 (textfilecontent54_test)
Result:	false
Title:	user.max_user_namespaces is set to 0 in the sysctl configuration files.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23054803 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'
Additional Information:	Check existence requirement not met.

V-257827 - RHEL 9 must not have the sendmail package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257827r925468_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215020

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.

Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049

Fix Text:

Remove the sendmail package with the following command:

$ sudo dnf remove sendmail

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257827
Result:	true
Title:	RHEL-09-215020 - RHEL 9 must not have the sendmail package installed.
Description:	The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (package sendmail is NOT installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23048900 (rpminfo_test)
Result:	true
Title:	package sendmail is NOT installed
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23048900 (rpminfo_object)
Object Requirements:	name must be equal to 'sendmail'

V-257828 - RHEL 9 must not have the nfs-utils package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257828r925471_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215025

Identities:

CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.

Fix Text:

Remove the nfs-utils package with the following command:

$ sudo dnf remove nfs-utils

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257828
Result:	true
Title:	RHEL-09-215025 - RHEL 9 must not have the nfs-utils package installed.
Description:	"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (nfs-utils package is installed) (negated)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25782800 (rpminfo_test)
Result:	false
Title:	nfs-utils package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25782800 (rpminfo_object)
Object Requirements:	name must be equal to 'nfs-utils'
Additional Information:	Check existence requirement not met.

V-257830 - RHEL 9 must not have the rsh-server package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257830r925477_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215035

Identities:

CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.

Fix Text:

Remove the rsh-server package with the following command:

$ sudo dnf remove rsh-server

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257830
Result:	true
Title:	RHEL-09-215035 - RHEL 9 must not have the rsh-server package installed.
Description:	The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The rsh-server package is absent.)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23049200 (rpminfo_test)
Result:	true
Title:	The rsh-server package is absent.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23049200 (rpminfo_object)
Object Requirements:	name must be equal to 'rsh-server'

V-257831 - RHEL 9 must not have the telnet-server package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257831r925480_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215040

Identities:

CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a)

Description:

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.

The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.

Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.

Fix Text:

Remove the telnet-server package with the following command:

$ sudo dnf remove telnet-server

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257831
Result:	true
Title:	RHEL-09-215040 - RHEL 9 must not have the telnet-server package installed.
Description:	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (package telnet-server is NOT installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23048700 (rpminfo_test)
Result:	true
Title:	package telnet-server is NOT installed
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23048700 (rpminfo_object)
Object Requirements:	name must be equal to 'telnet-server'

V-257833 - RHEL 9 must not have the iprutils package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257833r925486_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215050

Identities:

Description:

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227

Fix Text:

Remove the iprutils package with the following command:

$ sudo dnf remove iprutils

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257833
Result:	true
Title:	RHEL-09-215050 - RHEL 9 must not have the iprutils package installed.
Description:	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (package iprutils is NOT installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23056000 (rpminfo_test)
Result:	true
Title:	package iprutils is NOT installed
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23056000 (rpminfo_object)
Object Requirements:	name must be equal to 'iprutils'

V-257834 - RHEL 9 must not have the tuned package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257834r925489_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-215055

Identities:

Description:

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227

Fix Text:

Remove the tuned package with the following command:

$ sudo dnf remove tuned

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257834
Result:	false
Title:	RHEL-09-215055 - RHEL 9 must not have the tuned package installed.
Description:	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (tuned package is installed) (negated)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23056100 (rpminfo_test)
Result:	true
Title:	tuned package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23056100 (rpminfo_object)
Object Requirements:	name must be equal to 'tuned'
Collected Item/State Result: [ not evaluated ]	name equals 'tuned' arch equals 'noarch' epoch equals '(none)' release equals '1.el9_3' version equals '2.21.0' evr equals '0:2.21.0-1.el9_3' signature_keyid equals '199e2f91fd431d51' extended_name equals 'tuned-(none):2.21.0-1.el9_3.noarch'

V-257837 - A graphical display manager must not be installed on RHEL 9 unless approved.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257837r925498_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-215070

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Fix Text:

Document the requirement for a graphical user interface with the ISSO or remove all xorg packages with the following command:

Warning: If you are accessing the system through the graphical user interface, change to the multi-user.target with the following command:

$ sudo systemctl isolate multi-user.target

Warning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface.

$ sudo dnf remove "xorg*"
$ sudo systemctl set-default multi-user.target

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257837
Result:	true
Title:	RHEL-09-215070 - A graphical display manager must not be installed on RHEL 9 unless approved.
Description:	Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The graphical display manager is absent.)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23055300 (rpminfo_test)
Result:	true
Title:	The graphical display manager is absent.
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23055300 (rpminfo_object)
Object Requirements:	name must be equal to 'xorg-x11-server-common'

V-257840 - RHEL 9 must have the nss-tools package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257840r925507_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-215085

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.

Fix Text:

The nss-tools package can be installed with the following command:

$ sudo dnf install nss-tools

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257840
Result:	false
Title:	RHEL-09-215085 - RHEL 9 must have the nss-tools package installed.
Description:	Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (package nss-tools is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25784000 (rpminfo_test)
Result:	false
Title:	package nss-tools is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25784000 (rpminfo_object)
Object Requirements:	name must be equal to 'nss-tools'
Additional Information:	Check existence requirement not met.

V-257841 - RHEL 9 must have the rng-tools package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257841r925510_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-215090

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

"rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.

Fix Text:

The rng-tools package can be installed with the following command:

$ sudo dnf install rng-tools

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257841
Result:	false
Title:	RHEL-09-215090 - RHEL 9 must have the rng-tools package installed.
Description:	"rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (The rng-tools package is installed.)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:24452700 (rpminfo_test)
Result:	false
Title:	The rng-tools package is installed.
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:24452700 (rpminfo_object)
Object Requirements:	name must be equal to 'rng-tools'
Additional Information:	Check existence requirement not met.

V-257842 - RHEL 9 must have the s-nail package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257842r925513_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-215095

Identities:

CCI-001744 (NIST SP 800-53 Rev 4: CM-3 (5); NIST SP 800-53 Rev 5: CM-3 (5))

Description:

The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.

Fix Text:

The s-nail package can be installed with the following command:

$ sudo dnf install s-nail

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257842
Result:	false
Title:	RHEL-09-215095 - RHEL 9 must have the s-nail package installed.
Description:	The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (The s-nail package is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25784200 (rpminfo_test)
Result:	false
Title:	The s-nail package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25784200 (rpminfo_object)
Object Requirements:	name must be equal to 's-nail'
Additional Information:	Check existence requirement not met.

V-257849 - RHEL 9 file system automount function must be disabled unless required.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257849r925534_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-231040

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000778 (NIST SP 800-53: IA-3; NIST SP 800-53A: IA-3.1 (ii); NIST SP 800-53 Rev 4: IA-3; NIST SP 800-53 Rev 5: IA-3)
CCI-001958 (NIST SP 800-53 Rev 4: IA-3; NIST SP 800-53 Rev 5: IA-3)

Description:

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.

Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Fix Text:

Configure RHEL 9 to disable the ability to automount devices.

The autofs service can be disabled with the following command:

$ sudo systemctl mask --now autofs.service

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257849
Result:	true
Title:	RHEL-09-231040 - RHEL 9 file system automount function must be disabled unless required.
Description:	An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The automount service is disabled)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23050200 (process58_test)
Result:	true
Title:	The automount service is disabled
Check Existence:	No collected items may exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.unix:obj:23050200 (process58_object)
Object Requirements:	command_line must match the pattern '^(/usr)?/sbin/automount.*' pid must be greater than '1'

V-257850 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257850r925537_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-231045

Identities:

CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2))

Description:

The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.

Fix Text:

Modify "/etc/fstab" to use the "nodev" option on the "/home" directory.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257850
Result:	false
Title:	RHEL-09-231045 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
Description:	The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/home is mounted with the noexec option)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25785000 (partition_test)
Result:	false
Title:	/home is mounted with the noexec option
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:25785000 (partition_object)
Object Requirements:	mount_point must be equal to '/home'
State ID:	oval:mil.disa.stig.linux:ste:20000001 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
Collected Item/State Result: [ not evaluated ]	mount_point does not exist
Additional Information:	Check existence requirement not met.

V-257855 - RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

Rule ID:

xccdf_mil.disa.stig_rule_SV-257855r925552_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-231070

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Fix Text:

Update each NFS mounted file system to use the "noexec" option on file systems that are being imported via NFS.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257855
Result:	true
Title:	RHEL-09-231070 - RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
Description:	The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (all nfs entries in /etc/fstab have noexec) true (all nfs entries in /etc/mtab have noexec)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23030600 (textfilecontent54_test)
Result:	true
Title:	all nfs entries in /etc/fstab have noexec
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23030600 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/fstab' pattern must match the pattern '^\s\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.)$' instance must not be equal to '0'
State ID:	oval:mil.disa.stig.ind:ste:23030600 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^.noexec.$'

Test ID:	oval:mil.disa.stig.ind:tst:23030601 (textfilecontent54_test)
Result:	true
Title:	all nfs entries in /etc/mtab have noexec
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23030601 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/mtab' pattern must match the pattern '^\s\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.)$' instance must not be equal to '0'
State ID:	oval:mil.disa.stig.ind:ste:23030600 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^.noexec.$'

V-257864 - RHEL 9 must mount /dev/shm with the noexec option.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257864r925579_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-231115

Identities:

CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2))

Description:

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Fix Text:

Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257864
Result:	false
Title:	RHEL-09-231115 - RHEL 9 must mount /dev/shm with the noexec option.
Description:	The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (If /dev/shm is mounted, it is mounted with the noexec option) true (If /dev/shm is configured in /etc/fstab, it is configured with the noexec option)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23051000 (partition_test)
Result:	false
Title:	If /dev/shm is mounted, it is mounted with the noexec option
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23051000 (partition_object)
Object Requirements:	mount_point must be equal to '/dev/shm'
State ID:	oval:mil.disa.stig.linux:ste:20000000 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'noexec'
Collected Item/State Result: [ false ]	Message - 'device' mount_point equals '/dev/shm' device equals 'tmpfs' uuid does not exist fs_type equals 'tmpfs' mount_options equals 'rw' mount_options equals 'nosuid' mount_options equals 'nodev' mount_options equals 'seclabel' mount_options equals 'inode64' mount_options equals '6' total_space equals '2012865' space_used equals '0' space_left equals '2012865' space_left_for_unprivileged_users equals '2012865' block_size equals '4096'
Additional Information:	Check requirement not met. mount_options

Test ID:	oval:mil.disa.stig.ind:tst:23051001 (textfilecontent54_test)
Result:	true
Title:	If /dev/shm is configured in /etc/fstab, it is configured with the noexec option
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23051001 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/fstab' pattern must match the pattern '^\s[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s$' instance must be equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23051001 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '(?:^noexec$\|^noexec,\|,noexec$\|,noexec,)'

V-257865 - RHEL 9 must mount /dev/shm with the nosuid option.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257865r925582_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-231120

Identities:

CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2))

Description:

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Fix Text:

Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257865
Result:	true
Title:	RHEL-09-231120 - RHEL 9 must mount /dev/shm with the nosuid option.
Description:	The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (If /dev/shm is mounted, it is mounted with the nosuid option) true (If /dev/shm is configured in /etc/fstab, it is configured with the nosuid option)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23050900 (partition_test)
Result:	true
Title:	If /dev/shm is mounted, it is mounted with the nosuid option
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23050900 (partition_object)
Object Requirements:	mount_point must be equal to '/dev/shm'
State ID:	oval:mil.disa.stig.linux:ste:23050900 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'nosuid'
Collected Item/State Result: [ true ]	Message - 'device' mount_point equals '/dev/shm' device equals 'tmpfs' uuid does not exist fs_type equals 'tmpfs' mount_options equals 'rw' mount_options equals 'nosuid' mount_options equals 'nodev' mount_options equals 'seclabel' mount_options equals 'inode64' mount_options equals '6' total_space equals '2012865' space_used equals '0' space_left equals '2012865' space_left_for_unprivileged_users equals '2012865' block_size equals '4096'

Test ID:	oval:mil.disa.stig.ind:tst:23050900 (textfilecontent54_test)
Result:	true
Title:	If /dev/shm is configured in /etc/fstab, it is configured with the nosuid option
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23050900 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/fstab' pattern must match the pattern '^\s[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s$' instance must be equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23050900 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '(?:^nosuid$\|^nosuid,\|,nosuid$\|,nosuid,)'

V-257867 - RHEL 9 must mount /tmp with the noexec option.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257867r925588_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-231130

Identities:

CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2))

Description:

Fix Text:

Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257867
Result:	false
Title:	RHEL-09-231130 - RHEL 9 must mount /tmp with the noexec option.
Description:	The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/tmp is mounted with the noexec option)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23051300 (partition_test)
Result:	false
Title:	/tmp is mounted with the noexec option
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23029500 (partition_object)
Object Requirements:	mount_point must be equal to '/tmp'
State ID:	oval:mil.disa.stig.linux:ste:20000000 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'noexec'
Collected Item/State Result: [ not evaluated ]	mount_point does not exist
Additional Information:	Check existence requirement not met.

V-257873 - RHEL 9 must mount /var/log/audit with the nodev option.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257873r925606_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-231160

Identities:

CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2))

Description:

Fix Text:

Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257873
Result:	false
Title:	RHEL-09-231160 - RHEL 9 must mount /var/log/audit with the nodev option.
Description:	The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/var/log/audit is mounted with the nodev option) false (/var/log/audit is configured with the nodev option in /etc/fstab) false (/var/log/audit is configured in /etc/fstab)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23051700 (partition_test)
Result:	false
Title:	/var/log/audit is mounted with the nodev option
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23051700 (partition_object)
Object Requirements:	mount_point must be equal to '/var/log/audit'
State ID:	oval:mil.disa.stig.linux:ste:20000001 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
Collected Item/State Result: [ not evaluated ]	mount_point does not exist
Additional Information:	Check existence requirement not met.

Test ID:	oval:mil.disa.stig.ind:tst:23051701 (variable_test)
Result:	false
Title:	/var/log/audit is configured with the nodev option in /etc/fstab
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23051701 (variable_object)
Object Requirements:	var_ref must be equal to 'oval:mil.disa.stig.linux:var:23051700'
State ID:	oval:mil.disa.stig.ind:ste:23051700 (variable_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to 'nodev'
Collected Item/State Result: [ false ]	var_ref equals 'oval:mil.disa.stig.linux:var:23051700' value equals ''
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23051702 (textfilecontent54_test)
Result:	false
Title:	/var/log/audit is configured in /etc/fstab
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.ind:obj:23051702 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/fstab' pattern must match the pattern '^\s[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s$' instance must be equal to '1'
Additional Information:	Check existence requirement not met.

V-257881 - RHEL 9 must prevent special devices on non-root local partitions.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257881r925630_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-231200

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Fix Text:

Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257881
Result:	false
Title:	RHEL-09-231200 - RHEL 9 must prevent special devices on non-root local partitions.
Description:	The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (Device files are mounted with the nodev option. Mounts on '/' are ignored.) true (Device files are configured in /etc/fstab to use the nodev option. Mounts on '/' are ignored.)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23030100 (partition_test)
Result:	false
Title:	Device files are mounted with the nodev option. Mounts on '/' are ignored.
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.linux:obj:23030100 (partition_object)
Object Requirements:	mount_point must match the pattern '^/\S+$'
Include Items If:	device matches the pattern '^/dev\S*$'
State ID:	oval:mil.disa.stig.linux:ste:20000001 (partition_state)
State Requirements:	check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
Collected Item/State Result: [ false ]	mount_point equals '/boot' device equals '/dev/xvda3' uuid equals '48ebf8a2-a37f-4e53-9bf6-d77493ca7700' fs_type equals 'xfs' mount_options equals 'rw' mount_options equals 'relatime' mount_options equals 'seclabel' mount_options equals 'attr2' mount_options equals 'inode64' mount_options equals 'logbufs=8' mount_options equals 'logbsize=32k' mount_options equals 'noquota' mount_options equals '4096' total_space equals '126632' space_used equals '62801' space_left equals '63831' space_left_for_unprivileged_users equals '63831' block_size equals '4096'
Collected Item/State Result: [ false ]	mount_point equals '/boot/efi' device equals '/dev/xvda2' uuid equals '7B77-95E7' fs_type equals 'vfat' mount_options equals 'rw' mount_options equals 'relatime' mount_options equals 'fmask=0077' mount_options equals 'dmask=0077' mount_options equals 'codepage=437' mount_options equals 'iocharset=ascii' mount_options equals 'shortname=winnt' mount_options equals 'errors=remount-ro' mount_options equals '4096' total_space equals '51145' space_used equals '5' space_left equals '51140' space_left_for_unprivileged_users equals '51140' block_size equals '4096'
Additional Information:	Check requirement not met. mount_options mount_options

Test ID:	oval:mil.disa.stig.ind:tst:23030101 (textfilecontent54_test)
Result:	true
Title:	Device files are configured in /etc/fstab to use the nodev option. Mounts on '/' are ignored.
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23030101 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/fstab' pattern must match the pattern '^\s/dev\S\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:23030100 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '(?:^nodev$\|^nodev,\|,nodev$\|,nodev,)'

V-257885 - RHEL 9 /var/log directory must have mode 0755 or less permissive.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257885r925642_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-232025

Identities:

CCI-001314 (NIST SP 800-53: SI-11 c; NIST SP 800-53A: SI-11.1 (iv); NIST SP 800-53 Rev 4: SI-11 b; NIST SP 800-53 Rev 5: SI-11 b)

Description:

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix Text:

Configure the "/var/log" directory to a mode of "0755" by running the following command:

$ sudo chmod 0755 /var/log

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257885
Result:	true
Title:	RHEL-09-232025 - RHEL 9 /var/log directory must have mode 0755 or less permissive.
Description:	Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/var/log directory has mode 0755 or less permissive.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23024800 (file_test)
Result:	true
Title:	/var/log directory has mode 0755 or less permissive.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23024800 (file_object)
Object Requirements:	path must be equal to '/var/log'
State ID:	oval:mil.disa.stig.unix:ste:20000008 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', suid must be equal to 'false' check_existence = 'at_least_one_exists', sgid must be equal to 'false' check_existence = 'at_least_one_exists', sticky must be equal to 'false' check_existence = 'at_least_one_exists', gwrite must be equal to 'false' check_existence = 'at_least_one_exists', owrite must be equal to 'false'
Collected Item/State Result: [ true ]	filepath equals '/var/log' path equals '/var/log' filename equals '' type equals 'directory' group_id equals '0' user_id equals '0' a_time equals '1705369909' c_time equals '1705190401' m_time equals '1705190401' size equals '4096' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'

V-257887 - RHEL 9 audit tools must have a mode of 0755 or less permissive.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257887r925648_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-232035

Identities:

CCI-001493 (NIST SP 800-53: AU-9; NIST SP 800-53A: AU-9.1; NIST SP 800-53 Rev 4: AU-9; NIST SP 800-53 Rev 5: AU-9 a)

Description:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.

RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Fix Text:

Configure the audit tools to have a mode of "0755" by running the following command:

$ sudo chmod 0755 [audit_tool]

Replace "[audit_tool]" with each audit tool that has a more permissive mode than 0755.

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257887
Result:	true
Title:	RHEL-09-232035 - RHEL 9 audit tools must have a mode of 0755 or less permissive.
Description:	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (audit tools have a mode of 0755 or less permissive.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23047200 (file_test)
Result:	true
Title:	audit tools have a mode of 0755 or less permissive.
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23047200 (file_object)
Object Requirements:	for filepath, at least one of the following must be true: filepath must be equal to '/sbin/auditctl' filepath must be equal to '/sbin/aureport' filepath must be equal to '/sbin/ausearch' filepath must be equal to '/sbin/autrace' filepath must be equal to '/sbin/auditd' filepath must be equal to '/sbin/rsyslogd' filepath must be equal to '/sbin/augenrules'
State ID:	oval:mil.disa.stig.unix:ste:20000008 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', suid must be equal to 'false' check_existence = 'at_least_one_exists', sgid must be equal to 'false' check_existence = 'at_least_one_exists', sticky must be equal to 'false' check_existence = 'at_least_one_exists', gwrite must be equal to 'false' check_existence = 'at_least_one_exists', owrite must be equal to 'false'
Collected Item/State Result: [ true ]	filepath equals '/sbin/auditctl' path equals '/sbin' filename equals 'auditctl' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019113' c_time equals '1702931248' m_time equals '1688019113' size equals '44648' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'
Collected Item/State Result: [ true ]	filepath equals '/sbin/aureport' path equals '/sbin' filename equals 'aureport' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019113' c_time equals '1702931248' m_time equals '1688019113' size equals '119056' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'
Collected Item/State Result: [ true ]	filepath equals '/sbin/ausearch' path equals '/sbin' filename equals 'ausearch' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019113' c_time equals '1702931248' m_time equals '1688019113' size equals '123120' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'
Collected Item/State Result: [ true ]	filepath equals '/sbin/autrace' path equals '/sbin' filename equals 'autrace' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019113' c_time equals '1702931248' m_time equals '1688019113' size equals '19632' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '0' owrite equals '0' oexec equals '0'
Collected Item/State Result: [ true ]	filepath equals '/sbin/auditd' path equals '/sbin' filename equals 'auditd' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019113' c_time equals '1702931248' m_time equals '1688019113' size equals '144576' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'
Collected Item/State Result: [ true ]	filepath equals '/sbin/rsyslogd' path equals '/sbin' filename equals 'rsyslogd' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1702931385' c_time equals '1702931181' m_time equals '1690807430' size equals '769928' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'
Collected Item/State Result: [ true ]	filepath equals '/sbin/augenrules' path equals '/sbin' filename equals 'augenrules' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1688019112' c_time equals '1702931248' m_time equals '1688019112' size equals '3793' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '1' gread equals '1' gwrite equals '0' gexec equals '1' oread equals '1' owrite equals '0' oexec equals '1'

V-257893 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257893r925666_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-232065

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Fix Text:

Change the mode of the file "/etc/gshadow" to "0000" by running the following command:

$ sudo chmod 0000 /etc/gshadow

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257893
Result:	true
Title:	RHEL-09-232065 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
Description:	The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The /etc/gshadow file has mode 0000 or less permissive)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25789300 (file_test)
Result:	true
Title:	The /etc/gshadow file has mode 0000 or less permissive
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25789300 (file_object)
Object Requirements:	filepath must be equal to '/etc/gshadow'
State ID:	oval:mil.disa.stig.unix:ste:20000012 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', suid must be equal to 'false' check_existence = 'at_least_one_exists', sgid must be equal to 'false' check_existence = 'at_least_one_exists', sticky must be equal to 'false' check_existence = 'at_least_one_exists', uread must be equal to 'false' check_existence = 'at_least_one_exists', uwrite must be equal to 'false' check_existence = 'at_least_one_exists', uexec must be equal to 'false' check_existence = 'at_least_one_exists', gread must be equal to 'false' check_existence = 'at_least_one_exists', gwrite must be equal to 'false' check_existence = 'at_least_one_exists', gexec must be equal to 'false' check_existence = 'at_least_one_exists', oread must be equal to 'false' check_existence = 'at_least_one_exists', owrite must be equal to 'false' check_existence = 'at_least_one_exists', oexec must be equal to 'false'
Collected Item/State Result: [ true ]	filepath equals '/etc/gshadow' path equals '/etc' filename equals 'gshadow' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1704910031' c_time equals '1704910031' m_time equals '1704910031' size equals '522' suid equals '0' sgid equals '0' sticky equals '0' uread equals '0' uwrite equals '0' uexec equals '0' gread equals '0' gwrite equals '0' gexec equals '0' oread equals '0' owrite equals '0' oexec equals '0'

V-257899 - RHEL 9 /etc/group file must be group-owned by root.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257899r925684_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-232095

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Fix Text:

Change the group of the file /etc/group to root by running the following command:

$ sudo chgrp root /etc/group

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257899
Result:	true
Title:	RHEL-09-232095 - RHEL 9 /etc/group file must be group-owned by root.
Description:	The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/etc/group file is owned by root)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25789900 (file_test)
Result:	true
Title:	/etc/group file is owned by root
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25789900 (file_object)
Object Requirements:	filepath must be equal to '/etc/group'
State ID:	oval:mil.disa.stig.unix:ste:20000006 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', group_id must be equal to '0'
Collected Item/State Result: [ true ]	filepath equals '/etc/group' path equals '/etc' filename equals 'group' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1705345261' c_time equals '1704910031' m_time equals '1704910031' size equals '651' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '0' gread equals '1' gwrite equals '0' gexec equals '0' oread equals '1' owrite equals '0' oexec equals '0'

V-257917 - RHEL 9 /var/log/messages file must be group-owned by root.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257917r925738_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-232185

Identities:

CCI-001314 (NIST SP 800-53: SI-11 c; NIST SP 800-53A: SI-11.1 (iv); NIST SP 800-53 Rev 4: SI-11 b; NIST SP 800-53 Rev 5: SI-11 b)

Description:

Fix Text:

Change the group owner of the "/var/log/messages" file to "root" by running the following command:

$ sudo chgrp root /var/log/messages

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257917
Result:	true
Title:	RHEL-09-232185 - RHEL 9 /var/log/messages file must be group-owned by root.
Description:	Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (/var/log/messages file is owned by root)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23024700 (file_test)
Result:	true
Title:	/var/log/messages file is owned by root
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23024700 (file_object)
Object Requirements:	filepath must be equal to '/var/log/messages'
State ID:	oval:mil.disa.stig.unix:ste:20000006 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', group_id must be equal to '0'
Collected Item/State Result: [ true ]	filepath equals '/var/log/messages' path equals '/var/log' filename equals 'messages' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1705190401' c_time equals '1705371895' m_time equals '1705371895' size equals '260116' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '0' gread equals '0' gwrite equals '0' gexec equals '0' oread equals '0' owrite equals '0' oexec equals '0'

V-257935 - RHEL 9 must have the firewalld package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257935r928954_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-251010

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000382 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (iii); NIST SP 800-53 Rev 4: CM-7 b; NIST SP 800-53 Rev 5: CM-7 b)
CCI-002314 (NIST SP 800-53 Rev 4: AC-17 (1); NIST SP 800-53 Rev 5: AC-17 (1))
CCI-002322 (NIST SP 800-53 Rev 4: AC-17 (9); NIST SP 800-53 Rev 5: AC-17 (9))

Description:

"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232

Fix Text:

To install the "firewalld" package run the following command:

$ sudo dnf install firewalld

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257935
Result:	false
Title:	RHEL-09-251010 - RHEL 9 must have the firewalld package installed.
Description:	"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (firewalld package is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23050500 (rpminfo_test)
Result:	false
Title:	firewalld package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23050500 (rpminfo_object)
Object Requirements:	name must be equal to 'firewalld'
Additional Information:	Check existence requirement not met.

V-257943 - RHEL 9 must have the chrony package installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257943r925816_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-252010

Identities:

CCI-001891 (NIST SP 800-53 Rev 4: AU-8 (1) (a))

Description:

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Fix Text:

The chrony package can be installed with the following command:

$ sudo dnf install chrony

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257943
Result:	true
Title:	RHEL-09-252010 - RHEL 9 must have the chrony package installed.
Description:	Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The chrony package is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25794300 (rpminfo_test)
Result:	true
Title:	The chrony package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25794300 (rpminfo_object)
Object Requirements:	name must be equal to 'chrony'
Collected Item/State Result: [ not evaluated ]	name equals 'chrony' arch equals 'x86_64' epoch equals '(none)' release equals '1.el9' version equals '4.3' evr equals '0:4.3-1.el9' signature_keyid equals '199e2f91fd431d51' extended_name equals 'chrony-(none):4.3-1.el9.x86_64'

V-257969 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257969r925894_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-253070

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

Fix Text:

Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.default.send_redirects = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257969
Result:	false
Title:	RHEL-09-253070 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
Description:	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (net.ipv4.conf.default.send_redirects is set to 0 in kernel) false (net.ipv4.conf.default.send_redirects is set to 0 in the sysctl configuration files.)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:23054300 (sysctl_test)
Result:	false
Title:	net.ipv4.conf.default.send_redirects is set to 0 in kernel
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:23054300 (sysctl_object)
Object Requirements:	name must be equal to 'net.ipv4.conf.default.send_redirects'
State ID:	oval:mil.disa.stig.unix:ste:20000009 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '0'
Collected Item/State Result: [ false ]	name equals 'net.ipv4.conf.default.send_redirects' value equals '1'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:23054301 (textfilecontent54_test)
Result:	false
Title:	net.ipv4.conf.default.send_redirects is set to 0 in the sysctl configuration files.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23054303 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'
Additional Information:	Check existence requirement not met.

V-257975 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257975r925912_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-254030

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

An illicit router advertisement message could result in a man-in-the-middle attack.

Fix Text:

Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv6.conf.default.accept_ra = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257975
Result:	false
Title:	RHEL-09-254030 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
Description:	An illicit router advertisement message could result in a man-in-the-middle attack.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (net.ipv6.conf.default.accept_ra setting in kernel is set to 0) false (net.ipv6.conf.default.accept_ra setting in the sysctl configuration files is set to 0, and nothing else)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25312000 (sysctl_test)
Result:	false
Title:	net.ipv6.conf.default.accept_ra setting in kernel is set to 0
Check Existence:	All collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25312000 (sysctl_object)
Object Requirements:	name must be equal to 'net.ipv6.conf.default.accept_ra'
State ID:	oval:mil.disa.stig.unix:ste:20000009 (sysctl_state)
State Requirements:	check_existence = 'at_least_one_exists', value must be equal to '0'
Collected Item/State Result: [ false ]	name equals 'net.ipv6.conf.default.accept_ra' value equals '1'
Additional Information:	Check requirement not met. value

Test ID:	oval:mil.disa.stig.ind:tst:25312001 (textfilecontent54_test)
Result:	false
Title:	net.ipv6.conf.default.accept_ra setting in the sysctl configuration files is set to 0, and nothing else
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:25312003 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '0'
Additional Information:	Check existence requirement not met.

V-257993 - RHEL 9 must not allow users to override SSH environment variables.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257993r925966_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-255085

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

SSH environment options potentially allow users to bypass access restriction in some configurations.

Fix Text:

Configure the RHEL 9 SSH daemon to not allow unattended or automatic logon to the system.

Add or edit the following line in the "/etc/ssh/sshd_config" file:

PermitUserEnvironment no

Restart the SSH daemon for the setting to take effect:

$ sudo systemctl restart sshd.service

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257993
Result:	false
Title:	RHEL-09-255085 - RHEL 9 must not allow users to override SSH environment variables.
Description:	SSH environment options potentially allow users to bypass access restriction in some configurations.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (The PermitUserEnvironment option is not set to yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/*.conf.)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23033000 (textfilecontent54_test)
Result:	false
Title:	The PermitUserEnvironment option is not set to yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/*.conf.
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23033000 (textfilecontent54_object)
Object Requirements:	Collect any available items.
State ID:	oval:mil.disa.stig.ind:ste:20000017 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^(no\|"no")$'
Additional Information:	Check existence requirement not met.

V-257995 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257995r925972_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-255095

Identities:

CCI-001133 (NIST SP 800-53: SC-10; NIST SP 800-53A: SC-10.1 (ii); NIST SP 800-53 Rev 4: SC-10; NIST SP 800-53 Rev 5: SC-10)
CCI-002361 (NIST SP 800-53 Rev 4: AC-12; NIST SP 800-53 Rev 5: AC-12)

Description:

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.

Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

RHEL 9 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.

Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109

Fix Text:

Note: This setting must be applied in conjunction with RHEL-09-255100 to function correctly.

Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.

Modify or append the following lines in the "/etc/ssh/sshd_config" file:

ClientAliveCountMax 1

In order for the changes to take effect, the SSH daemon must be restarted.

$ sudo systemctl restart sshd.service

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257995
Result:	false
Title:	RHEL-09-255095 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
Description:	Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. RHEL 9 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (/etc/ssh/sshd_config:ClientAliveCountMax = 1)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23024400 (textfilecontent54_test)
Result:	false
Title:	/etc/ssh/sshd_config:ClientAliveCountMax = 1
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23024400 (textfilecontent54_object)
Object Requirements:	filepath must be equal to '/etc/ssh/sshd_config' pattern must match the pattern '^\s(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s(?:\|(?:#.*))?$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must be equal to '1'
Additional Information:	Check existence requirement not met.

V-257999 - RHEL 9 SSH server configuration file must have mode 0600 or less permissive.

Rule ID:

xccdf_mil.disa.stig_rule_SV-257999r925984_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-255115

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Fix Text:

Configure the "/etc/ssh/sshd_config" permissions to be "0600" with the following command:

$ sudo chmod 0600 /etc/ssh/sshd_config

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:257999
Result:	true
Title:	RHEL-09-255115 - RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
Description:	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The /etc/ssh/sshd_config file has mode 0644 or less permissive)

Tests:

Test ID:	oval:mil.disa.stig.unix:tst:25799900 (file_test)
Result:	true
Title:	The /etc/ssh/sshd_config file has mode 0644 or less permissive
Check Existence:	Zero or more collected items may exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.unix:obj:25799900 (file_object)
Object Requirements:	filepath must be equal to '/etc/ssh/sshd_config'
State ID:	oval:mil.disa.stig.unix:ste:20000004 (file_state)
State Requirements:	check_existence = 'at_least_one_exists', suid must be equal to 'false' check_existence = 'at_least_one_exists', sgid must be equal to 'false' check_existence = 'at_least_one_exists', sticky must be equal to 'false' check_existence = 'at_least_one_exists', uexec must be equal to 'false' check_existence = 'at_least_one_exists', gread must be equal to 'false' check_existence = 'at_least_one_exists', gwrite must be equal to 'false' check_existence = 'at_least_one_exists', gexec must be equal to 'false' check_existence = 'at_least_one_exists', oread must be equal to 'false' check_existence = 'at_least_one_exists', owrite must be equal to 'false' check_existence = 'at_least_one_exists', oexec must be equal to 'false'
Collected Item/State Result: [ true ]	filepath equals '/etc/ssh/sshd_config' path equals '/etc/ssh' filename equals 'sshd_config' type equals 'regular' group_id equals '0' user_id equals '0' a_time equals '1705372490' c_time equals '1702934493' m_time equals '1702934493' size equals '3692' suid equals '0' sgid equals '0' sticky equals '0' uread equals '1' uwrite equals '1' uexec equals '0' gread equals '0' gwrite equals '0' gexec equals '0' oread equals '0' owrite equals '0' oexec equals '0'

V-258007 - RHEL 9 SSH daemon must disable remote X connections for interactive users.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258007r926008_rule

Test Type:

Automated

Result:

Fail

Version:

RHEL-09-255155

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Fix Text:

Configure the SSH daemon to not allow X11 forwarding.

Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

X11forwarding no

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258007
Result:	false
Title:	RHEL-09-255155 - RHEL 9 SSH daemon must disable remote X connections for interactive users.
Description:	When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
Class:	compliance
Tests:	false (All child checks must be true.) false (All child checks must be true.) false (Query the value of the X11Forwarding setting in /etc/ssh/sshd_config)

Tests:

Test ID:	oval:mil.disa.stig.ind:tst:23055500 (textfilecontent54_test)
Result:	false
Title:	Query the value of the X11Forwarding setting in /etc/ssh/sshd_config
Check Existence:	One or more collected items must exist.
Check:	All collected items must match the given state(s).
Object ID:	oval:mil.disa.stig.ind:obj:23055500 (textfilecontent54_object)
Object Requirements:	behavior requirements: ignore_case = true filepath must be equal to '/etc/ssh/sshd_config' pattern must match the pattern '^\sX11Forwarding[ \t]+([^\s#])[ \t](?:\|(?:#.))?$' instance must be greater than or equal to '1'
State ID:	oval:mil.disa.stig.ind:ste:20000017 (textfilecontent54_state)
State Requirements:	check_existence = 'at_least_one_exists', subexpression must match the pattern '^(no\|"no")$'
Additional Information:	Check existence requirement not met.

V-258082 - RHEL 9 policycoreutils-python-utils package must be installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258082r926233_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-431030

Identities:

CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)

Description:

The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.

Fix Text:

Install the policycoreutils-python-utils service package (if the policycoreutils-python-utils service is not already installed) with the following command:

$ sudo dnf install policycoreutils-python-utils

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258082
Result:	true
Title:	RHEL-09-431030 - RHEL 9 policycoreutils-python-utils package must be installed.
Description:	The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (The policycoreutils-python-utils package is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:25808200 (rpminfo_test)
Result:	true
Title:	The policycoreutils-python-utils package is installed
Check Existence:	One or more collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:25808200 (rpminfo_object)
Object Requirements:	name must be equal to 'policycoreutils-python-utils'
Collected Item/State Result: [ not evaluated ]	name equals 'policycoreutils-python-utils' arch equals 'noarch' epoch equals '(none)' release equals '3.el9_3' version equals '3.5' evr equals '0:3.5-3.el9_3' signature_keyid equals '199e2f91fd431d51' extended_name equals 'policycoreutils-python-utils-(none):3.5-3.el9_3.noarch'

V-258151 - RHEL 9 audit package must be installed.

Rule ID:

xccdf_mil.disa.stig_rule_SV-258151r926440_rule

Test Type:

Automated

Result:

Pass

Version:

RHEL-09-653010

Identities:

Description:

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 9 system.

Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026

Fix Text:

Install the audit service package (if the audit service is not already installed) with the following command:

$ sudo dnf install audit

Severity:

medium

Weight:

10.0

Reference:

Title:	DPMS Target Red Hat Enterprise Linux 9
Publisher:	DISA
Type:	DPMS Target
Subject:	Red Hat Enterprise Linux 9
Identifier:	5551

Definitions:

Definition ID:	oval:mil.disa.stig.rhel9os:def:258151
Result:	true
Title:	RHEL-09-653010 - RHEL 9 audit package must be installed.
Description:	Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 9 system. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026
Class:	compliance
Tests:	true (All child checks must be true.) true (All child checks must be true.) true (package audit is installed)

Tests:

Test ID:	oval:mil.disa.stig.linux:tst:23041100 (rpminfo_test)
Result:	true
Title:	package audit is installed
Check Existence:	All collected items must exist.
Check:	Result is based on check existence only.
Object ID:	oval:mil.disa.stig.linux:obj:23041100 (rpminfo_object)
Object Requirements:	name must be equal to 'audit'
Collected Item/State Result: [ not evaluated ]	name equals 'audit' arch equals 'x86_64' epoch equals '(none)' release equals '104.el9' version equals '3.0.7' evr equals '0:3.0.7-104.el9' signature_keyid equals '199e2f91fd431d51' extended_name equals 'audit-(none):3.0.7-104.el9.x86_64'

Detailed Results: Low Severity (CAT III)

All Settings Report - Red Hat Enterprise Linux 9 STIG SCAP Benchmark

Score

System Information

Content Information

Results: High Severity (CAT I)

Automated Checks

Manual Checks

Results: Medium Severity (CAT II)

Automated Checks

Manual Checks

Results: Low Severity (CAT III)

Automated Checks

Manual Checks

Detailed Results: High Severity (CAT I)

V-257777 - RHEL 9 must be a vendor-supported release.

V-257784 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.

V-257820 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

V-257821 - RHEL 9 must check the GPG signature of locally installed software packages before installation.

V-257826 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

V-257955 - There must be no shosts.equiv files on RHEL 9.

V-257956 - There must be no .shosts files on RHEL 9.

V-257984 - RHEL 9 SSHD must not allow blank passwords.

V-257986 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

V-258059 - The root account must be the only account having unrestricted access to RHEL 9 system.

V-258078 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services.

V-258094 - RHEL 9 must not allow blank or null passwords.

V-258230 - RHEL 9 must enable FIPS mode.

Detailed Results: Medium Severity (CAT II)

V-257781 - The graphical display manager must not be the default target on RHEL 9 unless approved.

V-257787 - RHEL 9 must require a boot loader superuser password.

V-257790 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.

V-257791 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root.

V-257797 - RHEL 9 must restrict access to the kernel message buffer.

V-257798 - RHEL 9 must prevent kernel profiling by nonprivileged users.

V-257799 - RHEL 9 must prevent the loading of a new kernel for later execution.

V-257802 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

V-257803 - RHEL 9 must disable the kernel.core_pattern.

V-257805 - RHEL 9 must be configured to disable the Controller Area Network kernel module.

V-257808 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

V-257810 - RHEL 9 must disable access to network bpf system call from nonprivileged processes.

V-257811 - RHEL 9 must restrict usage of ptrace to descendant processes.

V-257813 - RHEL 9 must disable storing core dumps.

V-257814 - RHEL 9 must disable core dumps for all users.

V-257815 - RHEL 9 must disable acquiring, saving, and processing core dumps.

V-257816 - RHEL 9 must disable the use of user namespaces.

V-257827 - RHEL 9 must not have the sendmail package installed.

V-257828 - RHEL 9 must not have the nfs-utils package installed.

V-257830 - RHEL 9 must not have the rsh-server package installed.

V-257831 - RHEL 9 must not have the telnet-server package installed.

V-257833 - RHEL 9 must not have the iprutils package installed.

V-257834 - RHEL 9 must not have the tuned package installed.

V-257837 - A graphical display manager must not be installed on RHEL 9 unless approved.

V-257840 - RHEL 9 must have the nss-tools package installed.

V-257841 - RHEL 9 must have the rng-tools package installed.

V-257842 - RHEL 9 must have the s-nail package installed.

V-257849 - RHEL 9 file system automount function must be disabled unless required.

V-257850 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.

V-257855 - RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

V-257864 - RHEL 9 must mount /dev/shm with the noexec option.

V-257865 - RHEL 9 must mount /dev/shm with the nosuid option.

V-257867 - RHEL 9 must mount /tmp with the noexec option.

V-257873 - RHEL 9 must mount /var/log/audit with the nodev option.

V-257881 - RHEL 9 must prevent special devices on non-root local partitions.

V-257885 - RHEL 9 /var/log directory must have mode 0755 or less permissive.

V-257887 - RHEL 9 audit tools must have a mode of 0755 or less permissive.

V-257893 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.

V-257899 - RHEL 9 /etc/group file must be group-owned by root.

V-257917 - RHEL 9 /var/log/messages file must be group-owned by root.

V-257935 - RHEL 9 must have the firewalld package installed.

V-257943 - RHEL 9 must have the chrony package installed.

V-257969 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.

V-257975 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.

V-257993 - RHEL 9 must not allow users to override SSH environment variables.

V-257995 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

V-257999 - RHEL 9 SSH server configuration file must have mode 0600 or less permissive.

V-258007 - RHEL 9 SSH daemon must disable remote X connections for interactive users.

V-258082 - RHEL 9 policycoreutils-python-utils package must be installed.

V-258151 - RHEL 9 audit package must be installed.

Detailed Results: Low Severity (CAT III)