| Rule ID: | xccdf_mil.disa.stig_rule_SV-257787r925348_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-212010 |
| Identities: | CCI-000213 (NIST SP 800-53: AC-3; NIST SP 800-53A: AC-3.1; NIST SP 800-53 Rev 4: AC-3; NIST SP 800-53 Rev 5: AC-3) |
| Description: | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
| Fix Text: | Configure RHEL 9 to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
$ sudo grub2-setpassword
Enter password:
Confirm password: |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257787 | | Result: | false | | Title: | RHEL-09-212010 - RHEL 9 must require a boot loader superuser password. | | Description: | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:25778700 (textfilecontent54_test) | | Result: | true | | Title: | /etc/grub2.cfg:superusers exists and has a name. | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:25778700 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/grub2.cfg'
- pattern must match the pattern '^\s*set\s+superusers\s*=\s*"(\S+)"\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:25778700 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '^\S+$'
|
| Test ID: | oval:mil.disa.stig.ind:tst:25778701 (textfilecontent54_test) | | Result: | false | | Title: | /boot/grub2/user.cfg:GRUB2_PASSWORD exists and has a PBKDF2/SHA512 password assigned. | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:25778701 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/boot/grub2/user.cfg'
- pattern must match the pattern '^\s*GRUB2_PASSWORD=(\S+)\b'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:25778701 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '^grub\.pbkdf2\.sha512\.'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257797r925378_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213010 |
| Identities: | CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2)
CCI-001090 (NIST SP 800-53: SC-4; NIST SP 800-53A: SC-4.1; NIST SP 800-53 Rev 4: SC-4; NIST SP 800-53 Rev 5: SC-4) |
| Description: | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 |
| Fix Text: | Configure RHEL 9 to restrict access to the kernel message buffer.
Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
kernel.dmesg_restrict = 1
Load settings from all system configuration files with the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257797 | | Result: | false | | Title: | RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer. | | Description: | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
- false (One or more child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23026901 (textfilecontent54_test) | | Result: | true | | Title: | kernel.dmesg_restrict setting in admin sysctl configuration files is missing | | Check Existence: | No collected items may exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23026900 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$'
- instance must be greater than or equal to '1'
|
| Test ID: | oval:mil.disa.stig.ind:tst:23026902 (textfilecontent54_test) | | Result: | false | | Title: | kernel.dmesg_restrict setting in system sysctl configuration files is set to 1 | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23026901 (textfilecontent54_object) | | Object Requirements: | - for path, at least one of the following must be true:
- path must be equal to '/run/sysctl.d'
- path must be equal to '/lib/sysctl.d'
- path must be equal to '/usr/lib/sysctl.d'
- path must be equal to '/usr/local/lib/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23026900 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.ind:tst:23026900 (textfilecontent54_test) | | Result: | false | | Title: | kernel.dmesg_restrict setting in admin sysctl configuration files is set to 1 | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23026900 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23026900 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.unix:tst:23026900 (sysctl_test) | | Result: | false | | Title: | kernel.dmesg_restrict setting in kernel is set to 1 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23026900 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.dmesg_restrict'
| | State ID: | oval:mil.disa.stig.unix:ste:23026900 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '1'
| Collected Item/State Result:
[ false ] | - name equals 'kernel.dmesg_restrict'
- value equals '0'
| | Additional Information: | Check requirement not met.
value
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257798r925381_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213015 |
| Identities: | CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2)
CCI-001090 (NIST SP 800-53: SC-4; NIST SP 800-53A: SC-4.1; NIST SP 800-53 Rev 4: SC-4; NIST SP 800-53 Rev 5: SC-4) |
| Description: | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 |
| Fix Text: | Configure RHEL 9 to prevent kernel profiling by nonprivileged users.
Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
kernel.perf_event_paranoid = 2
Load settings from all system configuration files with the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257798 | | Result: | false | | Title: | RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users. | | Description: | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23027000 (sysctl_test) | | Result: | true | | Title: | kernel.perf_event_paranoid setting in kernel is set to 2 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23027000 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.perf_event_paranoid'
| | State ID: | oval:mil.disa.stig.unix:ste:20000011 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '2'
|
| Test ID: | oval:mil.disa.stig.ind:tst:23027001 (textfilecontent54_test) | | Result: | false | | Title: | kernel.perf_event_paranoid setting in /etc/sysctl.d/99-*.conf is set to 2, and nothing else, and there are no conflicting settings in other files | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23027003 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000004 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '2'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257799r925384_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213020 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-001749 (NIST SP 800-53 Rev 4: CM-5 (3)) |
| Description: | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153 |
| Fix Text: | Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
kernel.kexec_load_disabled = 1
Load settings from all system configuration files with the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257799 | | Result: | false | | Title: | RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution. | | Description: | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23026600 (sysctl_test) | | Result: | false | | Title: | kernel.kexec_load_disabled setting in kernel is set to 1 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23026600 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.kexec_load_disabled'
| | State ID: | oval:mil.disa.stig.unix:ste:20000010 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '1'
| Collected Item/State Result:
[ false ] | - name equals 'kernel.kexec_load_disabled'
- value equals '0'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23026601 (textfilecontent54_test) | | Result: | false | | Title: | kernel.kexec_load_disabled setting in sysctl configuration files is set to 1, and nothing else | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23026603 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257803r925396_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213040 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
| Fix Text: | Configure RHEL 9 to disable storing core dumps.
Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:
kernel.core_pattern = |/bin/false
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257803 | | Result: | false | | Title: | RHEL-09-213040 - RHEL 9 must disable the kernel.core_pattern. | | Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
- false (One or more child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23031101 (textfilecontent54_test) | | Result: | true | | Title: | kernel.core_pattern setting in admin sysctl configuration files is missing | | Check Existence: | No collected items may exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23031100 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.core_pattern\s*=\s*(.+)\s*$'
- instance must be greater than or equal to '1'
|
| Test ID: | oval:mil.disa.stig.ind:tst:23031102 (textfilecontent54_test) | | Result: | false | | Title: | kernel.core_pattern setting in system sysctl configuration files is set to 1 | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23031101 (textfilecontent54_object) | | Object Requirements: | - for path, at least one of the following must be true:
- path must be equal to '/run/sysctl.d'
- path must be equal to '/lib/sysctl.d'
- path must be equal to '/usr/lib/sysctl.d'
- path must be equal to '/usr/local/lib/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.core_pattern\s*=\s*(.+)\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23031100 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '|/bin/false'
| Collected Item/State Result:
[ false ] | - filepath equals '/lib/sysctl.d/50-coredump.conf'
- path equals '/lib/sysctl.d'
- filename equals '50-coredump.conf'
- pattern equals '^\s*kernel\.core_pattern\s*=\s*(.+)\s*$'
- instance equals '1'
- text equals 'kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
' - subexpression equals '|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
| Collected Item/State Result:
[ false ] | - filepath equals '/usr/lib/sysctl.d/50-coredump.conf'
- path equals '/usr/lib/sysctl.d'
- filename equals '50-coredump.conf'
- pattern equals '^\s*kernel\.core_pattern\s*=\s*(.+)\s*$'
- instance equals '1'
- text equals 'kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
' - subexpression equals '|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
| | Additional Information: | Check requirement not met.
subexpression
subexpression
|
| Test ID: | oval:mil.disa.stig.ind:tst:23031100 (textfilecontent54_test) | | Result: | false | | Title: | kernel.core_pattern setting in admin sysctl configuration files is set to 1 | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23031100 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/sysctl.d'
- filename must match the pattern '^.*\.conf$'
- pattern must match the pattern '^\s*kernel\.core_pattern\s*=\s*(.+)\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23031100 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '|/bin/false'
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.unix:tst:23031100 (sysctl_test) | | Result: | false | | Title: | kernel.core_pattern setting in kernel is set to 1 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23031100 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.core_pattern'
| | State ID: | oval:mil.disa.stig.unix:ste:23031100 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '|/bin/false'
| Collected Item/State Result:
[ false ] | - name equals 'kernel.core_pattern'
- value equals '|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h'
| | Additional Information: | Check requirement not met.
value
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257805r925402_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213050 |
| Identities: | CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a) |
| Description: | Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation. |
| Fix Text: | To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf (or create atm.conf if it does not exist):
install can /bin/false
blacklist can |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257805 | | Result: | false | | Title: | RHEL-09-213050 - RHEL 9 must be configured to disable the Controller Area Network kernel module. | | Description: | Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23049501 (textfilecontent54_test) | | Result: | false | | Title: | /etc/modprobe.d contains a file that contains 'blacklist can' | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23049501 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/modprobe.d'
- filename must match the pattern '.*'
- pattern must match the pattern '^[ \t]*blacklist[ \t]+can[ \t]*$'
- instance must be greater than or equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257808r925411_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213065 |
| Identities: | CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a) |
| Description: | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect unused protocols can result in a system compromise.
The Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation. |
| Fix Text: | To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):
install tipc /bin/false
blacklist tipc |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257808 | | Result: | false | | Title: | RHEL-09-213065 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. | | Description: | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect unused protocols can result in a system compromise.
The Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23049700 (textfilecontent54_test) | | Result: | false | | Title: | /etc/modprobe.d contains a file that contains 'install tipc /bin/true' | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23049700 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/modprobe.d'
- filename must match the pattern '.*'
- pattern must match the pattern '^[ \t]*install[ \t]+tipc[ \t]+/bin/true[ \t]*$'
- instance must be greater than or equal to '1'
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.ind:tst:23049701 (textfilecontent54_test) | | Result: | false | | Title: | /etc/modprobe.d contains a file that contains 'blacklist tipc' | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23049701 (textfilecontent54_object) | | Object Requirements: | - path must be equal to '/etc/modprobe.d'
- filename must match the pattern '.*'
- pattern must match the pattern '^[ \t]*blacklist[ \t]+tipc[ \t]*$'
- instance must be greater than or equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257810r925417_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213075 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2) |
| Description: | Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 |
| Fix Text: | Configure RHEL 9 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory:
kernel.unprivileged_bpf_disabled = 1
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257810 | | Result: | false | | Title: | RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes. | | Description: | Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23054500 (sysctl_test) | | Result: | false | | Title: | kernel.unprivileged_bpf_disabled setting in kernel is set to 1 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23054500 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.unprivileged_bpf_disabled'
| | State ID: | oval:mil.disa.stig.unix:ste:20000010 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '1'
| Collected Item/State Result:
[ false ] | - name equals 'kernel.unprivileged_bpf_disabled'
- value equals '2'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23054501 (textfilecontent54_test) | | Result: | false | | Title: | kernel.unprivileged_bpf_disabled is set to 1, and nothing else, and there are no conflicting settings in other files | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23054501 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257811r925420_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213080 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-001082 (NIST SP 800-53: SC-2; NIST SP 800-53A: SC-2.1; NIST SP 800-53 Rev 4: SC-2; NIST SP 800-53 Rev 5: SC-2) |
| Description: | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 |
| Fix Text: | Configure RHEL 9 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory:
kernel.yama.ptrace_scope = 1
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257811 | | Result: | false | | Title: | RHEL-09-213080 - RHEL 9 must restrict usage of ptrace to descendant processes. | | Description: | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).
Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23054600 (sysctl_test) | | Result: | false | | Title: | kernel.yama.ptrace_scope setting in kernel is set to 1 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23054600 (sysctl_object) | | Object Requirements: | - name must be equal to 'kernel.yama.ptrace_scope'
| | State ID: | oval:mil.disa.stig.unix:ste:20000010 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '1'
| Collected Item/State Result:
[ false ] | - name equals 'kernel.yama.ptrace_scope'
- value equals '0'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23054601 (textfilecontent54_test) | | Result: | false | | Title: | kernel.yama.ptrace_scope in sysctl configuration files is set to 1, and nothing else, and there are no conflicting settings in other files | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23054603 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| Collected Item/State Result:
[ false ] | - filepath equals '/lib/sysctl.d/10-default-yama-scope.conf'
- path equals '/lib/sysctl.d'
- filename equals '10-default-yama-scope.conf'
- pattern equals '(?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$'
- instance equals '1'
- text equals '
kernel.yama.ptrace_scope = 0
' - subexpression equals '0'
| Collected Item/State Result:
[ false ] | - filepath equals '/usr/lib/sysctl.d/10-default-yama-scope.conf'
- path equals '/usr/lib/sysctl.d'
- filename equals '10-default-yama-scope.conf'
- pattern equals '(?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$'
- instance equals '1'
- text equals '
kernel.yama.ptrace_scope = 0
' - subexpression equals '0'
| | Additional Information: | Check requirement not met.
subexpression
subexpression
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257813r925426_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213090 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy. |
| Fix Text: | Configure the operating system to disable storing core dumps for all users.
Add or modify the following line in /etc/systemd/coredump.conf:
Storage=none |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257813 | | Result: | false | | Title: | RHEL-09-213090 - RHEL 9 must disable storing core dumps. | | Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23031400 (textfilecontent54_test) | | Result: | false | | Title: | /usr/systemd/coredump.conf:Storage is set to none. | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23031400 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/systemd/coredump.conf'
- pattern must match the pattern '^\s*Storage\s*=\s*(\w*)\s*(?:#.*)?$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:20000014 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to 'none'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257814r925429_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213095 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
| Fix Text: | Configure the operating system to disable core dumps for all users.
Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/:
* hard core 0 |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257814 | | Result: | false | | Title: | RHEL-09-213095 - RHEL 9 must disable core dumps for all users. | | Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23031300 (textfilecontent54_test) | | Result: | false | | Title: | For the global domain, core is set to 0. | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23031300 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:23031300 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '0'
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.ind:tst:23031301 (textfilecontent54_test) | | Result: | true | | Title: | If core is set for any specific domains, it is set to 0. | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23031301 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:23031300 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '0'
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257815r925432_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213100 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
| Fix Text: | Configure the system to disable the systemd-coredump.socket with the following command:
$ sudo systemctl mask --now systemd-coredump.socket
Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
Reload the daemon for this change to take effect.
$ sudo systemctl daemon-reload |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257815 | | Result: | false | | Title: | RHEL-09-213100 - RHEL 9 must disable acquiring, saving, and processing core dumps. | | Description: | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23031200 (systemdunitproperty_test) | | Result: | false | | Title: | systemd-coredump.socket LoadState is masked if exists | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23031200 (systemdunitproperty_object) | | Object Requirements: | - unit must be equal to 'systemd-coredump.socket'
- property must be equal to 'LoadState'
| | State ID: | oval:mil.disa.stig.linux:ste:23031200 (systemdunitproperty_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to 'masked'
| Collected Item/State Result:
[ false ] | - unit equals 'systemd-coredump.socket'
- property equals 'LoadState'
- value equals 'loaded'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.linux:tst:23031201 (systemdunitproperty_test) | | Result: | false | | Title: | systemd-coredump.socket UnitFileState is masked if exists | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23031201 (systemdunitproperty_object) | | Object Requirements: | - unit must be equal to 'systemd-coredump.socket'
- property must be equal to 'UnitFileState'
| | State ID: | oval:mil.disa.stig.linux:ste:23031201 (systemdunitproperty_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to 'masked'
| Collected Item/State Result:
[ false ] | - unit equals 'systemd-coredump.socket'
- property equals 'UnitFileState'
- value equals 'static'
| | Additional Information: | Check requirement not met.
value
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257816r925435_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-213105 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces. |
| Fix Text: | Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory:
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable.
user.max_user_namespaces = 0
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257816 | | Result: | false | | Title: | RHEL-09-213105 - RHEL 9 must disable the use of user namespaces. | | Description: | User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23054800 (sysctl_test) | | Result: | false | | Title: | user.max_user_namespaces is set to 0 in kernel | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23054800 (sysctl_object) | | Object Requirements: | - name must be equal to 'user.max_user_namespaces'
| | State ID: | oval:mil.disa.stig.unix:ste:20000009 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '0'
| Collected Item/State Result:
[ false ] | - name equals 'user.max_user_namespaces'
- value equals '62543'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23054801 (textfilecontent54_test) | | Result: | false | | Title: | user.max_user_namespaces is set to 0 in the sysctl configuration files. | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23054803 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '0'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257834r925489_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-215055 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000381 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (ii); NIST SP 800-53 Rev 4: CM-7 a; NIST SP 800-53 Rev 5: CM-7 a) |
| Description: | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 |
| Fix Text: | Remove the tuned package with the following command:
$ sudo dnf remove tuned |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257834 | | Result: | false | | Title: | RHEL-09-215055 - RHEL 9 must not have the tuned package installed. | | Description: | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23056100 (rpminfo_test) | | Result: | true | | Title: | tuned package is installed | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.linux:obj:23056100 (rpminfo_object) | | Object Requirements: | - name must be equal to 'tuned'
| Collected Item/State Result:
[ not evaluated ] | - name equals 'tuned'
- arch equals 'noarch'
- epoch equals '(none)'
- release equals '1.el9_3'
- version equals '2.21.0'
- evr equals '0:2.21.0-1.el9_3'
- signature_keyid equals '199e2f91fd431d51'
- extended_name equals 'tuned-(none):2.21.0-1.el9_3.noarch'
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257840r925507_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-215085 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database. |
| Fix Text: | The nss-tools package can be installed with the following command:
$ sudo dnf install nss-tools |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257840 | | Result: | false | | Title: | RHEL-09-215085 - RHEL 9 must have the nss-tools package installed. | | Description: | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:25784000 (rpminfo_test) | | Result: | false | | Title: | package nss-tools is installed | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.linux:obj:25784000 (rpminfo_object) | | Object Requirements: | - name must be equal to 'nss-tools'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257841r925510_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-215090 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates. |
| Fix Text: | The rng-tools package can be installed with the following command:
$ sudo dnf install rng-tools |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257841 | | Result: | false | | Title: | RHEL-09-215090 - RHEL 9 must have the rng-tools package installed. | | Description: | "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:24452700 (rpminfo_test) | | Result: | false | | Title: | The rng-tools package is installed. | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.linux:obj:24452700 (rpminfo_object) | | Object Requirements: | - name must be equal to 'rng-tools'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257842r925513_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-215095 |
| Identities: | CCI-001744 (NIST SP 800-53 Rev 4: CM-3 (5); NIST SP 800-53 Rev 5: CM-3 (5)) |
| Description: | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel. |
| Fix Text: | The s-nail package can be installed with the following command:
$ sudo dnf install s-nail |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257842 | | Result: | false | | Title: | RHEL-09-215095 - RHEL 9 must have the s-nail package installed. | | Description: | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:25784200 (rpminfo_test) | | Result: | false | | Title: | The s-nail package is installed | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.linux:obj:25784200 (rpminfo_object) | | Object Requirements: | - name must be equal to 's-nail'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257850r925537_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-231045 |
| Identities: | CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2)) |
| Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. |
| Fix Text: | Modify "/etc/fstab" to use the "nodev" option on the "/home" directory. |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257850 | | Result: | false | | Title: | RHEL-09-231045 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories. | | Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:25785000 (partition_test) | | Result: | false | | Title: | /home is mounted with the noexec option | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:25785000 (partition_object) | | Object Requirements: | - mount_point must be equal to '/home'
| | State ID: | oval:mil.disa.stig.linux:ste:20000001 (partition_state) | | State Requirements: | - check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
| Collected Item/State Result:
[ not evaluated ] | - mount_point does not exist
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257864r925579_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-231115 |
| Identities: | CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2)) |
| Description: | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. |
| Fix Text: | Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system. |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257864 | | Result: | false | | Title: | RHEL-09-231115 - RHEL 9 must mount /dev/shm with the noexec option. | | Description: | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23051000 (partition_test) | | Result: | false | | Title: | If /dev/shm is mounted, it is mounted with the noexec option | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23051000 (partition_object) | | Object Requirements: | - mount_point must be equal to '/dev/shm'
| | State ID: | oval:mil.disa.stig.linux:ste:20000000 (partition_state) | | State Requirements: | - check_existence = 'at_least_one_exists', mount_options must be equal to 'noexec'
| Collected Item/State Result:
[ false ] | - Message - 'device'
- mount_point equals '/dev/shm'
- device equals 'tmpfs'
- uuid does not exist
- fs_type equals 'tmpfs'
- mount_options equals 'rw'
- mount_options equals 'nosuid'
- mount_options equals 'nodev'
- mount_options equals 'seclabel'
- mount_options equals 'inode64'
- mount_options equals '6'
- total_space equals '2012865'
- space_used equals '0'
- space_left equals '2012865'
- space_left_for_unprivileged_users equals '2012865'
- block_size equals '4096'
| | Additional Information: | Check requirement not met.
mount_options
|
| Test ID: | oval:mil.disa.stig.ind:tst:23051001 (textfilecontent54_test) | | Result: | true | | Title: | If /dev/shm is configured in /etc/fstab, it is configured with the noexec option | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23051001 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/fstab'
- pattern must match the pattern '^\s*[^#\s]+\s+/dev/shm\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$'
- instance must be equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23051001 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '(?:^noexec$|^noexec,|,noexec$|,noexec,)'
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257867r925588_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-231130 |
| Identities: | CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2)) |
| Description: | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. |
| Fix Text: | Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory. |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257867 | | Result: | false | | Title: | RHEL-09-231130 - RHEL 9 must mount /tmp with the noexec option. | | Description: | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23051300 (partition_test) | | Result: | false | | Title: | /tmp is mounted with the noexec option | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23029500 (partition_object) | | Object Requirements: | - mount_point must be equal to '/tmp'
| | State ID: | oval:mil.disa.stig.linux:ste:20000000 (partition_state) | | State Requirements: | - check_existence = 'at_least_one_exists', mount_options must be equal to 'noexec'
| Collected Item/State Result:
[ not evaluated ] | - mount_point does not exist
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257873r925606_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-231160 |
| Identities: | CCI-001764 (NIST SP 800-53 Rev 4: CM-7 (2); NIST SP 800-53 Rev 5: CM-7 (2)) |
| Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. |
| Fix Text: | Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory. |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257873 | | Result: | false | | Title: | RHEL-09-231160 - RHEL 9 must mount /var/log/audit with the nodev option. | | Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23051700 (partition_test) | | Result: | false | | Title: | /var/log/audit is mounted with the nodev option | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23051700 (partition_object) | | Object Requirements: | - mount_point must be equal to '/var/log/audit'
| | State ID: | oval:mil.disa.stig.linux:ste:20000001 (partition_state) | | State Requirements: | - check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
| Collected Item/State Result:
[ not evaluated ] | - mount_point does not exist
| | Additional Information: | Check existence requirement not met.
|
| Test ID: | oval:mil.disa.stig.ind:tst:23051701 (variable_test) | | Result: | false | | Title: | /var/log/audit is configured with the nodev option in /etc/fstab | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23051701 (variable_object) | | Object Requirements: | - var_ref must be equal to 'oval:mil.disa.stig.linux:var:23051700'
| | State ID: | oval:mil.disa.stig.ind:ste:23051700 (variable_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to 'nodev'
| Collected Item/State Result:
[ false ] | - var_ref equals 'oval:mil.disa.stig.linux:var:23051700'
- value equals ''
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23051702 (textfilecontent54_test) | | Result: | false | | Title: | /var/log/audit is configured in /etc/fstab | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.ind:obj:23051702 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/fstab'
- pattern must match the pattern '^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$'
- instance must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257881r925630_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-231200 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. |
| Fix Text: | Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257881 | | Result: | false | | Title: | RHEL-09-231200 - RHEL 9 must prevent special devices on non-root local partitions. | | Description: | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23030100 (partition_test) | | Result: | false | | Title: | Device files are mounted with the nodev option. Mounts on '/' are ignored. | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.linux:obj:23030100 (partition_object) | | Object Requirements: | - mount_point must match the pattern '^/\S+$'
| | Include Items If: | - device matches the pattern '^/dev\S*$'
| | State ID: | oval:mil.disa.stig.linux:ste:20000001 (partition_state) | | State Requirements: | - check_existence = 'at_least_one_exists', mount_options must be equal to 'nodev'
| Collected Item/State Result:
[ false ] | - mount_point equals '/boot'
- device equals '/dev/xvda3'
- uuid equals '48ebf8a2-a37f-4e53-9bf6-d77493ca7700'
- fs_type equals 'xfs'
- mount_options equals 'rw'
- mount_options equals 'relatime'
- mount_options equals 'seclabel'
- mount_options equals 'attr2'
- mount_options equals 'inode64'
- mount_options equals 'logbufs=8'
- mount_options equals 'logbsize=32k'
- mount_options equals 'noquota'
- mount_options equals '4096'
- total_space equals '126632'
- space_used equals '62801'
- space_left equals '63831'
- space_left_for_unprivileged_users equals '63831'
- block_size equals '4096'
| Collected Item/State Result:
[ false ] | - mount_point equals '/boot/efi'
- device equals '/dev/xvda2'
- uuid equals '7B77-95E7'
- fs_type equals 'vfat'
- mount_options equals 'rw'
- mount_options equals 'relatime'
- mount_options equals 'fmask=0077'
- mount_options equals 'dmask=0077'
- mount_options equals 'codepage=437'
- mount_options equals 'iocharset=ascii'
- mount_options equals 'shortname=winnt'
- mount_options equals 'errors=remount-ro'
- mount_options equals '4096'
- total_space equals '51145'
- space_used equals '5'
- space_left equals '51140'
- space_left_for_unprivileged_users equals '51140'
- block_size equals '4096'
| | Additional Information: | Check requirement not met.
mount_options
mount_options
|
| Test ID: | oval:mil.disa.stig.ind:tst:23030101 (textfilecontent54_test) | | Result: | true | | Title: | Device files are configured in /etc/fstab to use the nodev option. Mounts on '/' are ignored. | | Check Existence: | Zero or more collected items may exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23030101 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/fstab'
- pattern must match the pattern '^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:23030100 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '(?:^nodev$|^nodev,|,nodev$|,nodev,)'
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257935r928954_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-251010 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b)
CCI-000382 (NIST SP 800-53: CM-7; NIST SP 800-53A: CM-7.1 (iii); NIST SP 800-53 Rev 4: CM-7 b; NIST SP 800-53 Rev 5: CM-7 b)
CCI-002314 (NIST SP 800-53 Rev 4: AC-17 (1); NIST SP 800-53 Rev 5: AC-17 (1))
CCI-002322 (NIST SP 800-53 Rev 4: AC-17 (9); NIST SP 800-53 Rev 5: AC-17 (9)) |
| Description: | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232 |
| Fix Text: | To install the "firewalld" package run the following command:
$ sudo dnf install firewalld |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257935 | | Result: | false | | Title: | RHEL-09-251010 - RHEL 9 must have the firewalld package installed. | | Description: | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.linux:tst:23050500 (rpminfo_test) | | Result: | false | | Title: | firewalld package is installed | | Check Existence: | One or more collected items must exist. | | Check: | Result is based on check existence only. | | Object ID: | oval:mil.disa.stig.linux:obj:23050500 (rpminfo_object) | | Object Requirements: | - name must be equal to 'firewalld'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257969r925894_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-253070 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
| Fix Text: | Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:
net.ipv4.conf.default.send_redirects = 0
Load settings from all system configuration files with the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257969 | | Result: | false | | Title: | RHEL-09-253070 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | | Description: | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:23054300 (sysctl_test) | | Result: | false | | Title: | net.ipv4.conf.default.send_redirects is set to 0 in kernel | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:23054300 (sysctl_object) | | Object Requirements: | - name must be equal to 'net.ipv4.conf.default.send_redirects'
| | State ID: | oval:mil.disa.stig.unix:ste:20000009 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '0'
| Collected Item/State Result:
[ false ] | - name equals 'net.ipv4.conf.default.send_redirects'
- value equals '1'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:23054301 (textfilecontent54_test) | | Result: | false | | Title: | net.ipv4.conf.default.send_redirects is set to 0 in the sysctl configuration files. | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23054303 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '0'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257975r925912_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-254030 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | An illicit router advertisement message could result in a man-in-the-middle attack. |
| Fix Text: | Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:
net.ipv6.conf.default.accept_ra = 0
Load settings from all system configuration files with the following command:
$ sudo sysctl --system |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257975 | | Result: | false | | Title: | RHEL-09-254030 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. | | Description: | An illicit router advertisement message could result in a man-in-the-middle attack. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.unix:tst:25312000 (sysctl_test) | | Result: | false | | Title: | net.ipv6.conf.default.accept_ra setting in kernel is set to 0 | | Check Existence: | All collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.unix:obj:25312000 (sysctl_object) | | Object Requirements: | - name must be equal to 'net.ipv6.conf.default.accept_ra'
| | State ID: | oval:mil.disa.stig.unix:ste:20000009 (sysctl_state) | | State Requirements: | - check_existence = 'at_least_one_exists', value must be equal to '0'
| Collected Item/State Result:
[ false ] | - name equals 'net.ipv6.conf.default.accept_ra'
- value equals '1'
| | Additional Information: | Check requirement not met.
value
|
| Test ID: | oval:mil.disa.stig.ind:tst:25312001 (textfilecontent54_test) | | Result: | false | | Title: | net.ipv6.conf.default.accept_ra setting in the sysctl configuration files is set to 0, and nothing else | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:25312003 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000002 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '0'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257993r925966_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-255085 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | SSH environment options potentially allow users to bypass access restriction in some configurations. |
| Fix Text: | Configure the RHEL 9 SSH daemon to not allow unattended or automatic logon to the system.
Add or edit the following line in the "/etc/ssh/sshd_config" file:
PermitUserEnvironment no
Restart the SSH daemon for the setting to take effect:
$ sudo systemctl restart sshd.service |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257993 | | Result: | false | | Title: | RHEL-09-255085 - RHEL 9 must not allow users to override SSH environment variables. | | Description: | SSH environment options potentially allow users to bypass access restriction in some configurations. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23033000 (textfilecontent54_test) | | Result: | false | | Title: | The PermitUserEnvironment option is not set to yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/*.conf. | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23033000 (textfilecontent54_object) | | Object Requirements: | - Collect any available items.
| | State ID: | oval:mil.disa.stig.ind:ste:20000017 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '^(no|"no")$'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-257995r925972_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-255095 |
| Identities: | CCI-001133 (NIST SP 800-53: SC-10; NIST SP 800-53A: SC-10.1 (ii); NIST SP 800-53 Rev 4: SC-10; NIST SP 800-53 Rev 5: SC-10)
CCI-002361 (NIST SP 800-53 Rev 4: AC-12; NIST SP 800-53 Rev 5: AC-12) |
| Description: | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
RHEL 9 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 |
| Fix Text: | Note: This setting must be applied in conjunction with RHEL-09-255100 to function correctly.
Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.
Modify or append the following lines in the "/etc/ssh/sshd_config" file:
ClientAliveCountMax 1
In order for the changes to take effect, the SSH daemon must be restarted.
$ sudo systemctl restart sshd.service |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:257995 | | Result: | false | | Title: | RHEL-09-255095 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | | Description: | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
RHEL 9 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23024400 (textfilecontent54_test) | | Result: | false | | Title: | /etc/ssh/sshd_config:ClientAliveCountMax = 1 | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23024400 (textfilecontent54_object) | | Object Requirements: | - filepath must be equal to '/etc/ssh/sshd_config'
- pattern must match the pattern '^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:20000003 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must be equal to '1'
| | Additional Information: | Check existence requirement not met.
|
|
| Rule ID: | xccdf_mil.disa.stig_rule_SV-258007r926008_rule |
| Test Type: | Automated |
| Result: | Fail |
| Version: | RHEL-09-255155 |
| Identities: | CCI-000366 (NIST SP 800-53: CM-6 b; NIST SP 800-53A: CM-6.1 (iv); NIST SP 800-53 Rev 4: CM-6 b; NIST SP 800-53 Rev 5: CM-6 b) |
| Description: | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. |
| Fix Text: | Configure the SSH daemon to not allow X11 forwarding.
Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
X11forwarding no
The SSH service must be restarted for changes to take effect:
$ sudo systemctl restart sshd.service |
| Severity: | medium |
| Weight: | 10.0 |
| Reference: | | Title: | DPMS Target Red Hat Enterprise Linux 9 | | Publisher: | DISA | | Type: | DPMS Target | | Subject: | Red Hat Enterprise Linux 9 | | Identifier: | 5551 |
|
| Definitions: | | Definition ID: | oval:mil.disa.stig.rhel9os:def:258007 | | Result: | false | | Title: | RHEL-09-255155 - RHEL 9 SSH daemon must disable remote X connections for interactive users. | | Description: | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. | | Class: | compliance | | Tests: | - false (All child checks must be true.)
- false (All child checks must be true.)
|
|
| Tests: | | Test ID: | oval:mil.disa.stig.ind:tst:23055500 (textfilecontent54_test) | | Result: | false | | Title: | Query the value of the X11Forwarding setting in /etc/ssh/sshd_config | | Check Existence: | One or more collected items must exist. | | Check: | All collected items must match the given state(s). | | Object ID: | oval:mil.disa.stig.ind:obj:23055500 (textfilecontent54_object) | | Object Requirements: | - behavior requirements:
- filepath must be equal to '/etc/ssh/sshd_config'
- pattern must match the pattern '^\s*X11Forwarding[ \t]+([^\s#]*)[ \t]*(?:|(?:#.*))?$'
- instance must be greater than or equal to '1'
| | State ID: | oval:mil.disa.stig.ind:ste:20000017 (textfilecontent54_state) | | State Requirements: | - check_existence = 'at_least_one_exists', subexpression must match the pattern '^(no|"no")$'
| | Additional Information: | Check existence requirement not met.
|
|