Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r743912_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r818816_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-230266"><title>SRG-OS-000366-GPOS-00153</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230266r833290_rule" weight="10.0" severity="medium"><version>RHEL-08-010372</version><title>RHEL 8 must prevent the loading of a new kernel for later execution.</title><description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-32910r818815_fix" /><check system="C-32935r818814_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-32910r818815_fix" /><check system="C-32935r833289_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable kernel image loading with the following commands:
Check the status of the kernel.kexec_load_disabled kernel parameter.
If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r818819_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230267"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230267r833292_rule" weight="10.0" severity="medium"><version>RHEL-08-010373</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
@@ -907,7 +907,7 @@ fs.protected_symlinks = 1
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-32911r818818_fix" /><check system="C-32936r818817_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-32911r818818_fix" /><check system="C-32936r833291_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on symlinks with the following commands:
Check the status of the fs.protected_symlinks kernel parameter.
If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r818822_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230268"><title>SRG-OS-000312-GPOS-00122</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230268r833294_rule" weight="10.0" severity="medium"><version>RHEL-08-010374</version><title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</title><description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
@@ -947,7 +947,7 @@ fs.protected_hardlinks = 1
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-32912r818821_fix" /><check system="C-32937r818820_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-32912r818821_fix" /><check system="C-32937r833293_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to enable DAC on hardlinks with the following commands:
Check the status of the fs.protected_hardlinks kernel parameter.
If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r818825_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230269"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230269r833296_rule" weight="10.0" severity="low"><version>RHEL-08-010375</version><title>RHEL 8 must restrict access to the kernel message buffer.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
@@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-32913r818824_fix" /><check system="C-32938r818823_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-32913r818824_fix" /><check system="C-32938r833295_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:
Check the status of the kernel.dmesg_restrict kernel parameter.
If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r818828_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230270"><title>SRG-OS-000138-GPOS-00069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230270r833298_rule" weight="10.0" severity="low"><version>RHEL-08-010376</version><title>RHEL 8 must prevent kernel profiling by unprivileged users.</title><description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-32914r818827_fix" /><check system="C-32939r818826_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-32914r818827_fix" /><check system="C-32939r833297_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands:
Check the status of the kernel.perf_event_paranoid kernel parameter.
If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230271"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230271r833301_rule" weight="10.0" severity="medium"><version>RHEL-08-010380</version><title>RHEL 8 must require users to provide a password for privilege escalation.</title><description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
-Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-32915r567560_fix">Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</fixtext><fix id="F-32915r567560_fix" /><check system="C-32940r567559_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "/etc/sudoers" has no occurrences of "NOPASSWD".
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-32915r833300_fix">Configure the operating system to require users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" file with the following command:
+$ sudo visudo
+
+Remove any occurrences of "NOPASSWD" tags in the file.
+
+Check the configuration of the /etc/sudoers.d/* files with the following command:
+$ sudo grep -ir nopasswd /etc/sudoers.d
+
+Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-32915r833300_fix" /><check system="C-32940r833299_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that "/etc/sudoers" has no occurrences of "NOPASSWD".
Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command:
-If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r818831_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
+If "slub_debug" is not set to "P", is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230280"><title>SRG-OS-000433-GPOS-00193</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230280r833303_rule" weight="10.0" severity="medium"><version>RHEL-08-010430</version><title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</title><description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
Examples of attacks are buffer overflow attacks.
@@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2
Issue the following command to make the changes take effect:
-$ sudo sysctl --system</fixtext><fix id="F-32924r818830_fix" /><check system="C-32949r818829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
+$ sudo sysctl --system</fixtext><fix id="F-32924r818830_fix" /><check system="C-32949r833302_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 implements ASLR with the following command:
If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230281"><title>SRG-OS-000437-GPOS-00194</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230281r627750_rule" weight="10.0" severity="low"><version>RHEL-08-010440</version><title>YUM must remove all software components after updated versions have been installed on RHEL 8.</title><description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-32925r567590_fix">Configure the operating system to remove all software components after updated versions have been installed.
Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file:
@@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS)
If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
-If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r818834_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230311r833305_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-
-A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-
-When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32956r619859_fix">Configure the system to disable the systemd-coredump.socket with the following command:
-Reload the daemon for this change to take effect.
-
-$ sudo systemctl daemon-reload</fixtext><fix id="F-32956r619859_fix" /><check system="C-32981r567682_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230312"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230312r833308_rule" weight="10.0" severity="medium"><version>RHEL-08-010672</version><title>RHEL 8 must disable acquiring, saving, and processing core dumps.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
+
+When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32956r833307_fix">Configure the system to disable the systemd-coredump.socket with the following commands:
+Reload the daemon for this change to take effect.
+
+$ sudo systemctl daemon-reload</fixtext><fix id="F-32956r833307_fix" /><check system="C-32981r833306_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command:
$ sudo systemctl status systemd-coredump.socket
systemd-coredump.socket
-Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
+Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
Active: inactive (dead)
If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230313"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230313r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010673</version><title>RHEL 8 must disable core dumps for all users.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r810020_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r833388_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r809283_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r833310_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
-If [ "$PS1" ]; then
+if [ "$PS1" ]; then
+parent=$(ps -o ppid= -p $$)
+name=$(ps -o comm= -p $parent)
+case "$name" in (sshd|login) exec tmux ;; esac
+fi
+
+This setting will take effect at next logon.</fixtext><fix id="F-32993r833310_fix" /><check system="C-33018r833309_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:
+
+Determine if tmux is currently running:
+$ sudo ps all | grep tmux | grep -v grep
+
+If the command does not produce output, this is a finding.
+
+Determine the location of the tmux script:
+$ sudo grep -r tmux /etc/bashrc /etc/profile.d
+
+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
+
+Review the tmux script by using the following example:
+$ sudo cat /etc/profile.d/tmux.sh
+if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in (sshd|login) exec tmux ;; esac
fi
-This setting will take effect at next logon.</fixtext><fix id="F-32993r809283_fix" /><check system="C-33018r810019_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:
-
-Determine if tmux is currently running:
-$ sudo ps all | grep tmux | grep -v grep
-
-If the command does not produce output, this is a finding.
-
-Determine the location of the tmux script:
-$ sudo grep tmux /etc/bashrc/etc/profile.d/*
-
-/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
-
-Review the tmux script by using the following example:
-$ sudo cat /etc/profile.d/tmux.sh
-If [ "$PS1" ]; then
-parent=$(ps -o ppid= -p $$)
-name=$(ps -o comm= -p $parent)
-case "$name" in (sshd|login) exec tmux ;; esac
-fi
-
If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230350"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230350r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020042</version><title>RHEL 8 must prevent users from disabling session control mechanisms.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r833313_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-ucredit = -1</fixtext><fix id="F-33001r567818_fix" /><check system="C-33026r567817_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:
+ucredit = -1</fixtext><fix id="F-33001r567818_fix" /><check system="C-33026r833312_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ucredit" with the following command:
-If the value of "ucredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230358"><title>SRG-OS-000070-GPOS-00038</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230358r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020120</version><title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "ucredit" is a positive number or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230358"><title>SRG-OS-000070-GPOS-00038</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230358r833315_rule" weight="10.0" severity="medium"><version>RHEL-08-020120</version><title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-lcredit = -1</fixtext><fix id="F-33002r567821_fix" /><check system="C-33027r567820_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:
+lcredit = -1</fixtext><fix id="F-33002r567821_fix" /><check system="C-33027r833314_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "lcredit" with the following command:
-If the value of "lcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230359"><title>SRG-OS-000071-GPOS-00039</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230359r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020130</version><title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "lcredit" is a positive number or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230359"><title>SRG-OS-000071-GPOS-00039</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230359r833317_rule" weight="10.0" severity="medium"><version>RHEL-08-020130</version><title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-dcredit = -1</fixtext><fix id="F-33003r567824_fix" /><check system="C-33028r567823_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:
+dcredit = -1</fixtext><fix id="F-33003r567824_fix" /><check system="C-33028r833316_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "dcredit" with the following command:
-If the value of "dcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r809289_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "dcredit" is a positive number or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r833319_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
-maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r809288_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r833318_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option with the following command:
-If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r833321_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
-maxrepeat = 3</fixtext><fix id="F-33005r567830_fix" /><check system="C-33030r567829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+maxrepeat = 3</fixtext><fix id="F-33005r567830_fix" /><check system="C-33030r833320_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxrepeat" option with the following command:
-If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230362"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230362r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020160</version><title>RHEL 8 must require the change of at least four character classes when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230362"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230362r833323_rule" weight="10.0" severity="medium"><version>RHEL-08-020160</version><title>RHEL 8 must require the change of at least four character classes when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
-minclass = 4</fixtext><fix id="F-33006r567833_fix" /><check system="C-33031r567832_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+minclass = 4</fixtext><fix id="F-33006r567833_fix" /><check system="C-33031r833322_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "minclass" option with the following command:
-If the value of "minclass" is set to less than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230363"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230363r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020170</version><title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If the value of "minclass" is set to less than "4" or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230363"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230363r833325_rule" weight="10.0" severity="medium"><version>RHEL-08-020170</version><title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-difok = 8</fixtext><fix id="F-33007r567836_fix" /><check system="C-33032r567835_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+difok = 8</fixtext><fix id="F-33007r567836_fix" /><check system="C-33032r833324_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value of the "difok" option with the following command:
-If the value of "difok" is set to less than "8" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230364"><title>SRG-OS-000075-GPOS-00043</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230364r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020180</version><title>RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.</title><description><VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-33008r567839_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
+If the value of "difok" is set to less than "8" or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230364"><title>SRG-OS-000075-GPOS-00043</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230364r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020180</version><title>RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.</title><description><VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-33008r567839_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
$ sudo chage -m 1 [user]</fixtext><fix id="F-33008r567839_fix" /><check system="C-33033r567838_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.
-If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-230369"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230369r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020230</version><title>RHEL 8 passwords must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-230369"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230369r833327_rule" weight="10.0" severity="medium"><version>RHEL-08-020230</version><title>RHEL 8 passwords must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
@@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion><
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-minlen = 15</fixtext><fix id="F-33013r567854_fix" /><check system="C-33038r567853_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
+minlen = 15</fixtext><fix id="F-33013r567854_fix" /><check system="C-33038r833326_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
-Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:
+Check for the value of the "minlen" option with the following command:
-If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-230370"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230370r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020231</version><title>RHEL 8 passwords for new users must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+/etc/security/pwquality.conf:minlen = 15
+
+If the command does not return a "minlen" value of 15 or greater, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230370"><title>SRG-OS-000078-GPOS-00046</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230370r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020231</version><title>RHEL 8 passwords for new users must have a minimum of 15 characters.</title><description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
@@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac
$ sudo chage -l system_account_name
Verify each of these accounts has an expiration date set within 72 hours.
-If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.</check-content></check></Rule></Group><Group id="V-230375"><title>SRG-OS-000266-GPOS-00101</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230375r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020280</version><title>All RHEL 8 passwords must contain at least one special character.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.</check-content></check></Rule></Group><Group id="V-230375"><title>SRG-OS-000266-GPOS-00101</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230375r833329_rule" weight="10.0" severity="medium"><version>RHEL-08-020280</version><title>All RHEL 8 passwords must contain at least one special character.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
@@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note
Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-ocredit = -1</fixtext><fix id="F-33019r567872_fix" /><check system="C-33044r567871_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:
+ocredit = -1</fixtext><fix id="F-33019r567872_fix" /><check system="C-33044r833328_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the value for "ocredit" with the following command:
-If the value of "ocredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230376"><title>SRG-OS-000383-GPOS-00166</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230376r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020290</version><title>RHEL 8 must prohibit the use of cached authentications after one day.</title><description><VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
+If the value of "ocredit" is a positive number or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230376"><title>SRG-OS-000383-GPOS-00166</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230376r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020290</version><title>RHEL 8 must prohibit the use of cached authentications after one day.</title><description><VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002007</ident><fixtext fixref="F-33020r567875_fix">Configure the SSSD to prohibit the use of cached authentications after one day.
-If "offline_credentials_expiration" is not set to a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-230377"><title>SRG-OS-000480-GPOS-00225</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230377r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020300</version><title>RHEL 8 must prevent the use of dictionary words for passwords.</title><description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33021r567878_fix">Configure RHEL 8 to prevent the use of dictionary words for passwords.
+If "offline_credentials_expiration" is not set to a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-230377"><title>SRG-OS-000480-GPOS-00225</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230377r833331_rule" weight="10.0" severity="medium"><version>RHEL-08-020300</version><title>RHEL 8 must prevent the use of dictionary words for passwords.</title><description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33021r567878_fix">Configure RHEL 8 to prevent the use of dictionary words for passwords.
Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
-dictcheck=1</fixtext><fix id="F-33021r567878_fix" /><check system="C-33046r567877_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents the use of dictionary words for passwords.
+dictcheck=1</fixtext><fix id="F-33021r567878_fix" /><check system="C-33046r833330_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents the use of dictionary words for passwords.
-Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command:
+Determine if the field "dictcheck" is set with the following command:
-If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230378"><title>SRG-OS-000480-GPOS-00226</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230378r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020310</version><title>RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.</title><description><VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
+If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230378"><title>SRG-OS-000480-GPOS-00226</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230378r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020310</version><title>RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.</title><description><VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33022r567881_fix">Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
@@ -4281,7 +4305,7 @@ root /sbin/auditd
root /sbin/rsyslogd
root /sbin/augenrules
-If any of the audit tools are not group-owned by "root", this is a finding.</check-content></check></Rule></Group><Group id="V-230475"><title>SRG-OS-000278-GPOS-00108</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230475r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030650</version><title>RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.</title><description><VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
+If any of the audit tools are not group-owned by "root", this is a finding.</check-content></check></Rule></Group><Group id="V-230475"><title>SRG-OS-000278-GPOS-00108</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230475r833333_rule" weight="10.0" severity="medium"><version>RHEL-08-030650</version><title>RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.</title><description><VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
@@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th
-/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512</fixtext><fix id="F-33119r568172_fix" /><check system="C-33144r568171_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.
+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512</fixtext><fix id="F-33119r568172_fix" /><check system="C-33144r833332_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
Check the selection lines to ensure AIDE is configured to add/check with the following command:
-If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r809313_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
+If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r809313_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001849</ident><fixtext fixref="F-33120r568175_fix">Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
-If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-230507"><title>SRG-OS-000300-GPOS-00118</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230507r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040111</version><title>RHEL 8 Bluetooth must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
+If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-230507"><title>SRG-OS-000300-GPOS-00118</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230507r833336_rule" weight="10.0" severity="medium"><version>RHEL-08-040111</version><title>RHEL 8 Bluetooth must be disabled.</title><description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
-Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001443</ident><fixtext fixref="F-33151r568268_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001443</ident><fixtext fixref="F-33151r833335_fix">Configure the operating system to disable the Bluetooth adapter when not in use.
Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:
install bluetooth /bin/true
-Reboot the system for the settings to take effect.</fixtext><fix id="F-33151r568268_fix" /><check system="C-33176r568267_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.
+Disable the ability to use the Bluetooth kernel module.
+
+$ sudo vi /etc/modprobe.d/blacklist.conf
+
+Add or update the line:
+
+blacklist bluetooth
+
+Reboot the system for the settings to take effect.</fixtext><fix id="F-33151r833335_fix" /><check system="C-33176r833334_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision.
@@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/*
/etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true
-If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.</check-content></check></Rule></Group><Group id="V-230508"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230508r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040120</version><title>RHEL 8 must mount /dev/shm with the nodev option.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
+If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.
+
+Verify the operating system disables the ability to use Bluetooth with the following command:
+If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230508"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230508r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040120</version><title>RHEL 8 must mount /dev/shm with the nodev option.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
-If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230529r627750_rule" weight="10.0" severity="high"><version>RHEL-08-040170</version><title>The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.</title><description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33173r619888_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
-Reload the daemon for this change to take effect.
-
-$ sudo systemctl daemon-reload</fixtext><fix id="F-33173r619888_fix" /><check system="C-33198r568333_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:
+If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230529"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230529r833338_rule" weight="10.0" severity="high"><version>RHEL-08-040170</version><title>The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.</title><description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33173r833337_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:
+Reload the daemon for this change to take effect.
+
+$ sudo systemctl daemon-reload</fixtext><fix id="F-33173r833337_fix" /><check system="C-33198r568333_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:
$ sudo systemctl status ctrl-alt-del.target
@@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul
$ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd
-If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r818848_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-230535"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230535r833340_rule" weight="10.0" severity="medium"><version>RHEL-08-040210</version><title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r818851_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230536"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230536r833342_rule" weight="10.0" severity="medium"><version>RHEL-08-040220</version><title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r818854_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230537"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230537r833344_rule" weight="10.0" severity="medium"><version>RHEL-08-040230</version><title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33181r818853_fix" /><check system="C-33206r818852_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
-
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
+$ sudo sysctl --system</fixtext><fix id="F-33181r818853_fix" /><check system="C-33206r833343_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.
Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command:
If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r818860_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230538"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230538r833346_rule" weight="10.0" severity="medium"><version>RHEL-08-040240</version><title>RHEL 8 must not forward IPv6 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r818866_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230539"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230539r838722_rule" weight="10.0" severity="medium"><version>RHEL-08-040250</version><title>RHEL 8 must not forward IPv6 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r818872_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230540"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230540r833349_rule" weight="10.0" severity="medium"><version>RHEL-08-040260</version><title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33184r818871_fix" /><check system="C-33209r818870_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
+$ sudo sysctl --system</fixtext><fix id="F-33184r818871_fix" /><check system="C-33209r833348_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r818875_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230541"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230541r833351_rule" weight="10.0" severity="medium"><version>RHEL-08-040261</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
An illicit router advertisement message could result in a man-in-the-middle attack.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33185r818874_fix" /><check system="C-33210r818873_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
+$ sudo sysctl --system</fixtext><fix id="F-33185r818874_fix" /><check system="C-33210r833350_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.
Note: If IPv6 is disabled on the system, this requirement is not applicable.
If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r818878_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230542"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230542r833353_rule" weight="10.0" severity="medium"><version>RHEL-08-040262</version><title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
An illicit router advertisement message could result in a man-in-the-middle attack.
-$ sudo sysctl --system</fixtext><fix id="F-33186r818877_fix" /><check system="C-33211r818876_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
+$ sudo sysctl --system</fixtext><fix id="F-33186r818877_fix" /><check system="C-33211r833352_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r818881_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230543"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230543r833355_rule" weight="10.0" severity="medium"><version>RHEL-08-040270</version><title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33187r818880_fix" /><check system="C-33212r818879_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
-
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
+$ sudo sysctl --system</fixtext><fix id="F-33187r818880_fix" /><check system="C-33212r833354_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.
Check the value of the "default send_redirects" variables with the following command:
If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r818887_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230544"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230544r833357_rule" weight="10.0" severity="medium"><version>RHEL-08-040280</version><title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r818890_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230545r833359_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33189r818889_fix" /><check system="C-33214r818888_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-33189r818889_fix" /><check system="C-33214r833358_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:
If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r818893_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230546r833361_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant processes.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33190r818892_fix" /><check system="C-33215r818891_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-33190r818892_fix" /><check system="C-33215r833360_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:
If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r818896_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230547r833363_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
/etc/sysctl.d/*.conf
@@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33191r818895_fix" /><check system="C-33216r818894_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-33191r818895_fix" /><check system="C-33216r833362_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:
$ sudo sysctl kernel.kptr_restrict
kernel.kptr_restrict = 1
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.
+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding.
Check that the configuration files are present to enable this network parameter.
-If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding.
+If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r818899_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230548"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230548r833365_rule" weight="10.0" severity="medium"><version>RHEL-08-040284</version><title>RHEL 8 must disable the use of user namespaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33192r818898_fix" /><check system="C-33217r818897_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-33192r818898_fix" /><check system="C-33217r833364_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 disables the use of user namespaces with the following commands:
Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r818902_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230549"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230549r833367_rule" weight="10.0" severity="medium"><version>RHEL-08-040285</version><title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-33193r818901_fix" /><check system="C-33218r818900_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-33193r818901_fix" /><check system="C-33218r833366_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:
$ sudo sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 1
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.
+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding.
Check that the configuration files are present to enable this network parameter.
-If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding.
+If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230550r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040290</version><title>RHEL 8 must be configured to prevent unrestricted mail relaying.</title><description><VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33194r568397_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-33194r568397_fix" /><check system="C-33219r568396_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
If the either of the following entries are returned, this is a finding:
ALL ALL=(ALL) ALL
-ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r809326_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
+ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r833369_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002227</ident><fixtext fixref="F-40824r646895_fix">Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
Defaults !targetpw
Defaults !rootpw
-Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r809325_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
+Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r833368_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
-If results are returned from more than one file location, this is a finding.
+If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
-If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r809328_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
+If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r838720_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command.
@@ -6181,12 +6216,12 @@ $ sudo visudo
Add or modify the following line:
Defaults timestamp_timeout=[value]
-Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r809327_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
+Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r838719_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
-If results are returned from more than one file location, this is a finding.
+If conflicting results are returned, this is a finding.
If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244519"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244519r743806_rule" weight="10.0" severity="medium"><version>RHEL-08-010049</version><title>RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
@@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server
openssh-server.x86_64 8.0p1-5.el8 @anaconda
-If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r818845_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-244550"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244550r833373_rule" weight="10.0" severity="medium"><version>RHEL-08-040209</version><title>RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r818857_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244551"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244551r833375_rule" weight="10.0" severity="medium"><version>RHEL-08-040239</version><title>RHEL 8 must not forward IPv4 source-routed packets.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r818863_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244552"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244552r833377_rule" weight="10.0" severity="medium"><version>RHEL-08-040249</version><title>RHEL 8 must not forward IPv4 source-routed packets by default.</title><description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r818884_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244553r833379_rule" weight="10.0" severity="medium"><version>RHEL-08-040279</version><title>RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.</title><description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r818905_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244554"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244554r833381_rule" weight="10.0" severity="medium"><version>RHEL-08-040286</version><title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.
@@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --system</fixtext><fix id="F-47786r818904_fix" /><check system="C-47829r818903_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
+$ sudo sysctl --system</fixtext><fix id="F-47786r818904_fix" /><check system="C-47829r833380_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:
If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-245540"><title>SRG-OS-000191-GPOS-00080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-245540r754730_rule" weight="10.0" severity="medium"><version>RHEL-08-010001</version><title>The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.</title><description><VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001233</ident><fixtext fixref="F-48770r754729_fix">Install and enable the latest McAfee ENSLTP package.</fixtext><fix id="F-48770r754729_fix" /><check system="C-48814r754728_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.
Procedure:
Check that the following package has been installed:
@@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock
-If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r818869_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
+If the security context type of the non-default tally directory is not "faillog_t", this is a finding.</check-content></check></Rule></Group><Group id="V-250317"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-250317r833383_rule" weight="10.0" severity="medium"><version>RHEL-08-040259</version><title>RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.</title><description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
Load settings from all system configuration files with the following command:
-$ sudo sysctl --system</fixtext><fix id="F-53705r818868_fix" /><check system="C-53751r818867_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
-
-Note: If IPv4 is disabled on the system, this requirement is Not Applicable.
+$ sudo sysctl --system</fixtext><fix id="F-53705r818868_fix" /><check system="C-53751r833382_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.
Check that IPv4 forwarding is disabled using the following command:
-$ sudo sysctl net.ipv4.ip_forward
+$ sudo sysctl net.ipv4.conf.all.forwarding
-net.ipv4.ip_forward = 0
+net.ipv4.conf.all.forwarding = 0
If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Check that the configuration files are present to enable this network parameter.
If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
-If results are returned from more than one file location, this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
+If conflicting results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
@@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
-If there is no application installed to perform integrity checks, this is a finding.</check-content></check></Rule></Group><Group id="V-251711"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251711r810015_rule" weight="10.0" severity="medium"><version>RHEL-08-010379</version><title>RHEL 8 must specify the default "include" directory for the /etc/sudoers file.</title><description><VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
-
+If there is no application installed to perform integrity checks, this is a finding.</check-content></check></Rule></Group><Group id="V-251711"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251711r833385_rule" weight="10.0" severity="medium"><version>RHEL-08-010379</version><title>RHEL 8 must specify the default "include" directory for the /etc/sudoers file.</title><description><VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
+
It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55102r809356_fix">Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.
Edit the /etc/sudoers file with the following command:
@@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command:
$ sudo visudo
Add or modify the following line:
-#includedir /etc/sudoers.d</fixtext><fix id="F-55102r809356_fix" /><check system="C-55148r809355_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
+#includedir /etc/sudoers.d</fixtext><fix id="F-55102r809356_fix" /><check system="C-55148r833384_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.
+
+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
$ sudo grep include /etc/sudoers
@@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s
Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:
-$ sudo grep include /etc/sudoers.d/*
+$ sudo grep -r include /etc/sudoers.d
If results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251712"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251712r810017_rule" weight="10.0" severity="medium"><version>RHEL-08-010385</version><title>The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
-If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251716"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251716r809372_rule" weight="10.0" severity="medium"><version>RHEL-08-020104</version><title>RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
+If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251716"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251716r833387_rule" weight="10.0" severity="medium"><version>RHEL-08-020104</version><title>RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both:
/etc/pam.d/password-auth
@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi
Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value):
-retry = 3</fixtext><fix id="F-55107r809371_fix" /><check system="C-55153r809370_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.
+retry = 3</fixtext><fix id="F-55107r809371_fix" /><check system="C-55153r833386_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.
Verify the operating system is configured to limit the "pwquality" retry option to 3.
Check for the use of the "pwquality" retry option with the following command:
<xccdf:title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</xccdf:title>
<xccdf:description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</xccdf:description>
@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth
<xccdf:fixtext fixref="F-32876r567443_fix">Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.</xccdf:fixtext>
<xccdf:title>RHEL 8 must prevent the loading of a new kernel for later execution.</xccdf:title>
<xccdf:description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.</xccdf:title>
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.</xccdf:title>
<xccdf:description><VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must restrict access to the kernel message buffer.</xccdf:title>
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must prevent kernel profiling by unprivileged users.</xccdf:title>
<xccdf:description><VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must require users to provide a password for privilege escalation.</xccdf:title>
<xccdf:description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
- <xccdf:fixtext fixref="F-32915r567560_fix">Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
- <xccdf:fix id="F-32915r567560_fix" />
+ <xccdf:fixtext fixref="F-32915r833300_fix">Configure the operating system to require users to supply a password for privilege escalation.
+
+Check the configuration of the "/etc/sudoers" file with the following command:
+$ sudo visudo
+
+Remove any occurrences of "NOPASSWD" tags in the file.
+
+Check the configuration of the /etc/sudoers.d/* files with the following command:
+$ sudo grep -ir nopasswd /etc/sudoers.d
+
+Remove any occurrences of "NOPASSWD" tags in the file.</xccdf:fixtext>
<xccdf:fixtext fixref="F-32916r567563_fix">Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.</xccdf:fixtext>
<xccdf:title>RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.</xccdf:title>
<xccdf:description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect:
<xccdf:fixtext fixref="F-32950r567665_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</xccdf:fixtext>
<xccdf:fixtext fixref="F-32951r567668_fix">Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.</xccdf:fixtext>
<xccdf:fixtext fixref="F-32952r567671_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</xccdf:fixtext>
<xccdf:title>RHEL 8 must disable the kernel.core_pattern.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must ensure session control is automatically started at shell initialization.</xccdf:title>
<xccdf:description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
- <xccdf:fixtext fixref="F-32993r809283_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
+ <xccdf:fixtext fixref="F-32993r833310_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
-If [ "$PS1" ]; then
+if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in (sshd|login) exec tmux ;; esac
fi
This setting will take effect at next logon.</xccdf:fixtext>
<xccdf:fixtext fixref="F-32994r567797_fix">Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux.</xccdf:fixtext>
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
<xccdf:title>RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
<xccdf:title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin
<xccdf:title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
<xccdf:title>RHEL 8 must require the change of at least four character classes when passwords are changed.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin
<xccdf:title>RHEL 8 must require the change of at least 8 characters when passwords are changed.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
<xccdf:title>RHEL 8 passwords must have a minimum of 15 characters.</xccdf:title>
<xccdf:description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to
DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.</xccdf:fixtext>
<xccdf:title>All RHEL 8 passwords must contain at least one special character.</xccdf:title>
<xccdf:description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha
<xccdf:title>RHEL 8 must prevent the use of dictionary words for passwords.</xccdf:title>
<xccdf:description><VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></xccdf:description>
@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".</xccdf:fixtext>
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".</xccdf:fixtext>
Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.</xccdf:fixtext>
<xccdf:title>RHEL 8 Bluetooth must be disabled.</xccdf:title>
<xccdf:description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system.
@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per
If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</xccdf:fixtext>
<xccdf:title>RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.</xccdf:title>
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.</xccdf:title>
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</xccdf:title>
<xccdf:description><VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets.</xccdf:title>
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not forward IPv6 source-routed packets by default.</xccdf:title>
<xccdf:description><VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.</xccdf:title>
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces.</xccdf:title>
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.</xccdf:title>
<xccdf:description><VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.</xccdf:title>
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.</xccdf:title>
<xccdf:description><VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command:
<xccdf:title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must restrict usage of ptrace to descendant processes.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must restrict exposed kernel pointer addresses access.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must disable the use of user namespaces.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must use reverse path filtering on all IPv4 interfaces.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec
<xccdf:title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</xccdf:title>
<xccdf:description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
<xccdf:title>RHEL 8 must require re-authentication when using the "sudo" command.</xccdf:title>
<xccdf:description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
<xccdf:title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</xccdf:title>
<xccdf:description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec
- <title>RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords.</title>
+ <title>RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords.</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 8</platform>
</affected>
<description>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</description>
<title>RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command.</title>
<affected family="unix">
@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit
If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</description>
</metadata>
- <criteria operator="ONE">
- <criterion comment="Defaults timestamp_timeout is configured in /etc/sudoers" test_ref="oval:mil.disa.stig.rhel8:tst:41600" />
- <criterion comment="Defaults timestamp_timeout is configured in /etc/sudoers.d" test_ref="oval:mil.disa.stig.rhel8:tst:41601" />
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.randomize_va_space is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:14401" version="2">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.randomize_va_space is set to 2 in the sysctl configuration files, and there are no conflicting settings in other files." check="all" check_existence="at_least_one_exists" id="oval:mil.disa.stig.rhel8:tst:14401" version="3">
@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" comment="The pam_pwquality module is included in password-auth." id="oval:mil.disa.stig.rhel8:tst:19600" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one uppercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19700" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one uppercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19700" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one lowercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19800" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one lowercase character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19800" version="2">
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least one numeric character is required" check="all" id="oval:mil.disa.stig.rhel8:tst:19900" version="1">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters of the same character class must be limited to four when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20000" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters of the same character class must be limited to four when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20000" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters must be limited to three when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20100" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="the maximum number of repeating characters must be limited to three when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20100" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least 8 characters must change when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20300" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="at least 8 characters must change when passwords are changed" check="all" id="oval:mil.disa.stig.rhel8:tst:20300" version="2">
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" comment="Root does not have a minimum password age of 0 or blank" id="oval:mil.disa.stig.rhel8:tst:20400" version="3">
@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must have a minimum of 15 characters" check="all" id="oval:mil.disa.stig.rhel8:tst:20900" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must have a minimum of 15 characters" check="all" id="oval:mil.disa.stig.rhel8:tst:20900" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21400" version="1">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21401" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="passwords must not be dictionary words" check="all" id="oval:mil.disa.stig.rhel8:tst:21400" version="2">
@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="/etc/modprobe.d contains a file that contains 'install bluetooth /bin/true'" check="all" id="oval:mil.disa.stig.rhel8:tst:32600" version="1">
<partition_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" comment="If /dev/shm is mounted, it is mounted with the nodev option" check="all" check_existence="any_exist" id="oval:mil.disa.stig.rhel8:tst:32700" version="3">
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.kptr_restrict is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36000" version="4">
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="kernel.kptr_restrict is set to 1 or 2 in kernel" check="all" state_operator="OR" id="oval:mil.disa.stig.rhel8:tst:36000" version="5">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.kptr_restrict is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36001" version="7">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="kernel.kptr_restrict is set to 1 or 2 in the sysctl configuration files, and no conflicting configs exist." check="all" state_operator="OR" check_existence="at_least_one_exists" id="oval:mil.disa.stig.rhel8:tst:36001" version="8">
<sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="user.max_user_namespaces is set to 0 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36100" version="2">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="user.max_user_namespaces is set to 0 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36101" version="4">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="user.max_user_namespaces is set to 0 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:36101" version="5">
- <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.all.rp_filter is set to 1 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36200" version="2">
+ <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="net.ipv4.conf.all.rp_filter is set to 1 or 2 in kernel" check="all" id="oval:mil.disa.stig.rhel8:tst:36200" state_operator="OR" version="3">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.all.rp_filter is set to 1 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:36201" version="3">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.ipv4.conf.all.rp_filter is set to 1 or 2 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:36201" state_operator="OR" version="4">
@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" comment="ALL does not exist in /etc/sudoers.d" id="oval:mil.disa.stig.rhel8:tst:41401" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" comment="Defaults timestamp_timeout is configured in /etc/sudoers or /etc/sudoers.d." id="oval:mil.disa.stig.rhel8:tst:41600" version="5">
- <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.core.bpf_jit_harden is set to 2 in the sysctl configuration files." check="all" check_existence="only_one_exists" id="oval:mil.disa.stig.rhel8:tst:47701" version="1">
+ <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="net.core.bpf_jit_harden is set to 2 in the sysctl configuration files." check="all" id="oval:mil.disa.stig.rhel8:tst:47701" version="2">
