From 06250daca2a1636cf4520e2b19988aa161dc7a07 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 22:11:22 +0000 Subject: [PATCH] import scap-security-guide-0.1.60-8.el8_6 --- ...ct_symlink_test_to_oval_5_10-PR_8721.patch | 42 + ...ctl_dont_ignore_all_symlinks-PR_8707.patch | 122 + ....62-sysctl_dont_scan_usr_lib-PR_8718.patch | 115 + ...2-sysctl_filter_symlinks_out-PR_8698.patch | 190 + ...ctl_parameter_on_single_file-PR_8656.patch | 241 + ...l_separate_object_from_state-PR_8704.patch | 88 + ....1.62-update_rhel8_stig_v1r6-PR_8670.patch | 6422 +++++++++++++++++ SPECS/scap-security-guide.spec | 13 +- 8 files changed, 7232 insertions(+), 1 deletion(-) create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch create mode 100644 SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch b/SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch new file mode 100644 index 0000000..9cd0737 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch @@ -0,0 +1,42 @@ +From 484ceb5641f53a8f3b505099a3bebb8d5e481f1a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 May 2022 11:31:31 +0200 +Subject: [PATCH] Restrict the symlink test to OVAL 5.11 + +The symlink_test was added in OVAL 5.11 and is not availble in 5.10. +The 5.10 version of the sysctl template will not check for sysctl +options defined in more than on file. +--- + shared/templates/sysctl/oval.template | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index ba4e65cbaef..53456a90a01 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -114,7 +114,9 @@ + + ++{{% if target_oval_version >= [5, 11] %}} + ++{{% endif %}} + + + +@@ -140,6 +142,7 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + ++{{% if target_oval_version >= [5, 11] %}} + + +@@ -214,6 +217,7 @@ + + + ++{{% endif %}} + + + diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch new file mode 100644 index 0000000..a154125 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch @@ -0,0 +1,122 @@ +From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 May 2022 19:21:04 +0200 +Subject: [PATCH 1/2] Add tests to ensure valid symlinks are checked + +These sysctl tests help check cases when: +- A symlink points to a file out of the default default dirs +- Multile symlinks point to the same file in the default dirs + +Symlinks are a valid use case how to configure sysctls. +--- + .../tests/symlink_root_duplicate.fail.sh | 15 +++++++++++++++ + .../tests/symlink_root_incompliant.fail.sh | 15 +++++++++++++++ + .../tests/symlinks_to_same_file.pass.sh | 14 ++++++++++++++ + 3 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh +new file mode 100644 +index 00000000000..c4f756a110f +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++# Put a config file out of the default dirs ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf ++ ++# Add a symlink ++ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh +new file mode 100644 +index 00000000000..3b67676ac69 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++# Put a config file out of the default dirs ++echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf ++ ++# Add a symlink ++ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh +new file mode 100644 +index 00000000000..6164d0b1ca9 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++# Multiple symliks to the same file should be ignored ++ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf ++ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 ++ + +From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 May 2022 19:23:41 +0200 +Subject: [PATCH 2/2] Filter out symlinks referencing default dirs + +Apply a filter on the collected symlinks and exclude the ones that +don't point to the default dirs. +In other words, only remove ignore options in symlinks if the files they +reference will be scanned anyway, because they are in the one of the +default dirs. +--- + shared/templates/sysctl/oval.template | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 0b5cde45045..ac395d545c3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -217,10 +217,20 @@ + + +- ++ + ++ state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} + + ++ ++ ++ ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ ++ ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch new file mode 100644 index 0000000..19a156e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch @@ -0,0 +1,115 @@ +From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 May 2022 13:32:34 +0200 +Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL + +With the introduction of checks for options defined in multiple +files +the pre-configured sysctls became prominent and started to cause +rules +to fail. + +In /usr/lib/sysctl.d there are sysctl options defined by systemd and +other packages. The files in witch these options are defined are not +meant to be edited, these options should be overriden by options in +dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf. +Remediating these files will cause problems with rule +rpm_verify_hashes, +as these files are not RPM config files. + +As the sysctl remediations don't edit the pre-configured files the +rule will always result in error. +This commit removes the checks for the pre-configured directory, +i.e. /usr/lib/sysctl.d/. + +The end result is that any sysctl option that is pre-configured in +/usr/lib/sysctl.d will be defined in two files, the pre-configured +one +ane /etc/sysctl.conf. +The sysctl option in effect should be the one configured in +/etc/sysctl.conf as this file has the highest priority for sysctl. +--- + docs/templates/template_reference.md | 12 +++++++++++- + shared/templates/sysctl/oval.template | 8 ++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index fef4679..d49511a 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo + ``` + + #### sysctl +-- Checks sysctl parameters. The OVAL definition checks both ++- Checks sysctl parameters. The OVAL definition checks both static + configuration and runtime settings and require both of them to be + set to the desired value to return true. + ++ The following file and directories are checked for static ++ sysctl configurations: ++ - /etc/sysct.conf ++ - /etc/sysct.d/\*.conf ++ - /run/sysct.d/\*.conf ++ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL) ++ ++ A sysctl option defined in more then one file within the scanned directories ++ will result in `fail`. ++ + - Parameters: + + - **sysctlvar** - name of the sysctl value, eg. +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 2794638..b692ee3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -98,8 +98,10 @@ + test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/> + ++{{% if "rhel" not in product %}} + ++{{% endif %}} + + + +@@ -117,9 +119,11 @@ + {{{ state_static_sysctld("run_sysctld") }}} + + ++{{% if "rhel" not in product %}} + + {{{ state_static_sysctld("usr_lib_sysctld") }}} + ++{{% endif %}} + + +@@ -229,7 +233,9 @@ + + + object_static_run_sysctld_{{{ SYSCTLID }}} ++{{% if "rhel" not in product %}} + object_static_usr_lib_sysctld_{{{ SYSCTLID }}} ++{{% endif %}} + + + +@@ -250,11 +256,13 @@ + {{{ sysctl_match() }}} + + ++{{% if "rhel" not in product %}} + + /usr/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + ++{{% endif %}} + {{% if SYSCTLVAL == "" %}} + + +-- +2.34.1 + diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch b/SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch new file mode 100644 index 0000000..03910aa --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch @@ -0,0 +1,190 @@ +From b08b310a02e022d280b76e89282c8b8dcf3b9b55 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 May 2022 10:02:05 +0200 +Subject: [PATCH 1/3] Filter out symlinks + +Create a list of paths to symlinks to filter out from the count of +unique filpaths. +--- + shared/templates/sysctl/oval.template | 29 ++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 97487d6114e..1f30ad86ceb 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -168,9 +168,36 @@ + + + ++ ++ ++ object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} ++ state_{{{ SYSCTLID }}}_filepath_is_symlink ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- ++ + + object_static_etc_sysctls_{{{ SYSCTLID }}} + object_static_run_usr_sysctls_{{{ SYSCTLID }}} + +From 29bf2a53d29624aa21fe91d5ad0ee34260514b6f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 May 2022 11:18:46 +0200 +Subject: [PATCH 2/3] Avoid using empty variable when no symlinks exist + +This avoids directly referencing a variable that may have no values. +If no symlinks are found, 'local_var_symlinks_{{{ SYSCTLID }}}' will +have "no values". +Using this variable in the state comparison will automatically cause the +definition to evaluate to "unknown". + +What we do here is inject a blank string with the use of , this +way, when no symlinks are found, the variable has a single blank string. +--- + shared/templates/sysctl/oval.template | 32 ++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1f30ad86ceb..0b5cde45045 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -176,9 +176,39 @@ + + + +- ++ + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_obj_symlink_{{{ SYSCTLID }}} ++ var_obj_blank_{{{ SYSCTLID }}} ++ ++ ++ ++ ++ local_var_blank_path_{{{ SYSCTLID }}} ++ ++ ++ ++ ++ ++ ++ ++ local_var_symlinks_{{{ SYSCTLID }}} ++ ++ ++ + + + + +From 7e9e091517131d30c60a649795d477435017c97b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 May 2022 11:41:13 +0200 +Subject: [PATCH 3/3] Add test scenarios for sysctl symlink + +--- + .../tests/symlink_different_option.pass.sh | 15 +++++++++++++++ + .../tests/symlink_repeated_sysctl_conf.pass.sh | 11 +++++++++++ + .../tests/symlink_same_option.fail.sh | 15 +++++++++++++++ + 3 files changed, 41 insertions(+) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh +new file mode 100644 +index 00000000000..714a8815134 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++# Configure a different sysctl option ++echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf ++ ++# Add a symlink ++ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh +new file mode 100644 +index 00000000000..1fbbf1b0675 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh +new file mode 100644 +index 00000000000..51530f6e80c +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++# Configure the same sysctl option ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf ++ ++# and add a symlink ++ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch b/SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch new file mode 100644 index 0000000..9664395 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch @@ -0,0 +1,241 @@ +From 21177e5d44dfd6f4fa6de79737c1e55c4b22660a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 May 2022 10:49:44 +0200 +Subject: [PATCH] Edited PR_8656 to apply on 0.1.60 + +--- + .../one_sysctl_conf_one_sysctl_d.fail.sh | 11 +++ + .../tests/two_sysctls_on_d.fail.sh | 11 +++ + .../tests/two_sysctls_on_same_file.pass.sh | 11 +++ + .../two_sysctls_on_same_file_name.fail.sh | 11 +++ + shared/templates/sysctl/bash.template | 2 +- + shared/templates/sysctl/oval.template | 99 +++++++++++++------ + 6 files changed, 114 insertions(+), 31 deletions(-) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh +new file mode 100644 +index 0000000..b2bc2f8 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh +new file mode 100644 +index 0000000..49a8f2e +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++ ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/first.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh +new file mode 100644 +index 0000000..548e616 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++ ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh +new file mode 100644 +index 0000000..487691d +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf ++ ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf ++echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sysctl.conf ++ ++sysctl -w net.ipv4.conf.default.accept_source_route=0 +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 6c82e6e..d68956f 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -6,7 +6,7 @@ + + # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files + for f in /etc/sysctl.d/*.conf ; do +- matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq ) ++ matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 646f5f3..fd19f8b 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -1,3 +1,9 @@ ++{{%- if SYSCTLVAL == "" %}} ++{{%- set COMMENT_VALUE="the appropriate value" %}} ++{{%- else %}} ++{{%- set COMMENT_VALUE=SYSCTLVAL %}} ++{{%- endif %}} ++ + {{% macro state_static_sysctld(prefix) -%}} + + {{%- if SYSCTLVAL == "" %}} +@@ -6,7 +12,7 @@ + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +- (?:^|.*\n)[^#]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*\n ++ ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$ + 1 + {{%- else -%}} + {{% if OPERATION == "pattern match" %}} +@@ -53,20 +59,12 @@ + + + +- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system runtime.") }}} ++ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + +-{{%- if SYSCTLVAL == "" %}} +- +-{{%- else %}} +- +-{{%- endif %}} ++ + + +-{{% if SYSCTLVAL == "" %}} +- +-{{%- else %}} +- +-{{%- endif %}} ++ + + + +@@ -96,25 +94,21 @@ + + + +- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system configuration.") }}} +-{{%- if SYSCTLVAL == "" %}} +- +- +- +- +- +- +- +-{{%- else %}} +- +- +- +- +- +- +- ++ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ + +-{{%- endif %}} + + + +@@ -133,6 +127,51 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + ++ ++ ++ ++ ++ ++ ++ local_var_unique_sysctl_{{{ SYSCTLID }}}_counter ++ ++ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ object_static_etc_sysctls_{{{ SYSCTLID }}} ++ object_static_run_usr_sysctls_{{{ SYSCTLID }}} ++ ++ ++ ++ ++ ++ object_static_sysctl_{{{ SYSCTLID }}} ++ object_static_etc_sysctld_{{{ SYSCTLID }}} ++ ++ ++ ++ ++ ++ object_static_run_sysctld_{{{ SYSCTLID }}} ++ object_static_usr_lib_sysctld_{{{ SYSCTLID }}} ++ ++ ++ + + /etc/sysctl.conf + {{{ sysctl_match() }}} +-- +2.34.1 + diff --git a/SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch b/SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch new file mode 100644 index 0000000..f66c00a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch @@ -0,0 +1,88 @@ +From 1c403af00f39fcfa3c7cf898b1e832d4580cfb59 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 5 May 2022 10:28:34 +0200 +Subject: [PATCH] PR #8704 edited manually + +- Restrict test to sysctl.conf and /usr/sysctl.d +- Separate the state from the object and check it +--- + .../tests/wrong_value_d_directory.fail.sh | 12 ++++++------ + shared/templates/sysctl/oval.template | 18 ++++++++++-------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh +index 48a2665..5fb8ddc 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh +@@ -5,19 +5,19 @@ + setting_name="kernel.randomize_va_space" + setting_value="2" + # sysctl -w "$setting_name=$setting_value" +-if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then +- sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf ++if grep -q "^$setting_name" /etc/sysctl.conf; then ++ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf + else +- echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf ++ echo "$setting_name = $setting_value" >> /etc/sysctl.conf + fi + + setting_name="kernel.randomize_va_space" + setting_value="0" + # sysctl -w "$setting_name=$setting_value" +-if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then +- sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf ++if grep -q "^$setting_name" /etc/sysctl.d/98-sysctl.conf; then ++ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/98-sysctl.conf + else +- echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf ++ echo "$setting_name = $setting_value" >> /etc/sysctl.d/98-sysctl.conf + fi + + sysctl --system +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 564cc33..97f1e05 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -6,21 +6,15 @@ + + {{% macro state_static_sysctld(prefix) -%}} + +-{{%- if SYSCTLVAL == "" %}} + +-{{%- endif -%}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} + ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$ + 1 + {{%- else -%}} +-{{% if OPERATION == "pattern match" %}} +- ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL_REGEX }}}[\s]*$ +-{{% else %}} +- ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL }}}[\s]*$ +-{{% endif %}} +- 1 ++ ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ ++ 1 + {{%- endif -%}} + {{%- endmacro -%}} + {{%- if "P" in FLAGS -%}} +@@ -258,6 +252,14 @@ + + + ++{{% else %}} ++ ++{{% if OPERATION == "pattern match" %}} ++ {{{ SYSCTLVAL_REGEX }}} ++{{% else %}} ++ {{{ SYSCTLVAL }}} ++{{% endif %}} ++ + {{% endif %}} + + {{%- endif -%}} +-- +2.34.1 + diff --git a/SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch b/SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch new file mode 100644 index 0000000..72fcff6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch @@ -0,0 +1,6422 @@ +From 2db5a10b6be510a8c702cd726667f44b5e360267 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 2 May 2022 10:20:36 +0200 +Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R6 + +--- + ... => disa-stig-rhel8-v1r6-xccdf-manual.xml} | 401 ++++++++---------- + 1 file changed, 173 insertions(+), 228 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r5-xccdf-manual.xml => disa-stig-rhel8-v1r6-xccdf-manual.xml} (94%) + +diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +similarity index 94% +rename from shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml +rename to shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +index 216e91f92c6..849ab06f66d 100644 +--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 27 Jan 20223.2.2.360791.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. + +@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf + + localpkg_gpgcheck =True + +-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + + Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. + +@@ -859,16 +859,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749Configure the operating system to disable kernel image loading. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749Configure the operating system to disable kernel image loading. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.kexec_load_disabled = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: + + Check the status of the kernel.kexec_load_disabled kernel parameter. + +@@ -880,13 +879,13 @@ If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a findi + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r kernel.kexec_load_disabled /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1 + + If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. ++If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +@@ -900,17 +899,15 @@ The sysctl --system command will load settings from all system configuration fil + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. +- +-Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002165Configure the operating system to enable DAC on symlinks. ++Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002165Configure the operating system to enable DAC on symlinks. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + fs.protected_symlinks = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: + + Check the status of the fs.protected_symlinks kernel parameter. + +@@ -922,13 +919,13 @@ If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding. + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r fs.protected_symlinks /etc/sysctl.d/*.conf ++$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1 + + If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. ++If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +@@ -942,17 +939,15 @@ The sysctl --system command will load settings from all system configuration fil + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. +- +-Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002165Configure the operating system to enable DAC on hardlinks. ++Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002165Configure the operating system to enable DAC on hardlinks. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + fs.protected_hardlinks = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: + + Check the status of the fs.protected_hardlinks kernel parameter. + +@@ -964,13 +959,13 @@ If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding. + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r fs.protected_hardlinks /etc/sysctl.d/*.conf ++$ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1 + + If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. ++If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +@@ -984,17 +979,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001090Configure the operating system to restrict access to the kernel message buffer. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001090Configure the operating system to restrict access to the kernel message buffer. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.dmesg_restrict = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: + + Check the status of the kernel.dmesg_restrict kernel parameter. + +@@ -1006,13 +999,13 @@ If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r kernel.dmesg_restrict /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 + + If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. ++If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +@@ -1026,17 +1019,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001090Configure the operating system to prevent kernel profiling by unprivileged users. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001090Configure the operating system to prevent kernel profiling by unprivileged users. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.perf_event_paranoid = 2 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: + + Check the status of the kernel.perf_event_paranoid kernel parameter. + +@@ -1048,13 +1039,13 @@ If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a findi + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r kernel.perf_event_paranoid /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2 + + If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. ++If results are returned from more than one file location, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + + When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + +@@ -1231,7 +1222,7 @@ $ sudo grep slub_debug /etc/default/grub + + GRUB_CMDLINE_LINUX="slub_debug=P" + +-If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. ++If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +@@ -1241,17 +1232,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002824Configure the operating system to implement virtual address space randomization. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002824Configure the operating system to implement virtual address space randomization. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.randomize_va_space=2 + + Issue the following command to make the changes take effect: + +-$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: ++$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: + + $ sudo sysctl kernel.randomize_va_space + +@@ -1261,13 +1250,13 @@ If "kernel.randomize_va_space" is not set to "2", this is a finding. + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r kernel.randomize_va_space /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 + + If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. ++If results are returned from more than one file location, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. + + Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: + +@@ -1601,7 +1590,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS) + + If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). + +-If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -1609,17 +1598,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable storing core dumps. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable storing core dumps. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.core_pattern = |/bin/false + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: + + $ sudo sysctl kernel.core_pattern + +@@ -1629,13 +1616,13 @@ If the returned line does not have a value of "|/bin/false", or a line is not re + + Check that the configuration files are present to enable this kernel parameter. + +-$ sudo grep -r kernel.core_pattern /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false + + If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +@@ -2506,18 +2493,18 @@ $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/* + + /org/gnome/desktop/screensaver/lock-delay + +-If the command does not return at least the example result, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>RHEL-08-020090RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. ++If the command does not return at least the example result, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>RHEL-08-020090RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +-There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000187Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example: ++There are various methods of mapping certificates to user/group accounts for RHEL 8. For the purposes of this requirement, the check and fix will account for Active Directory mapping. Some of the other possible methods include joining the system to a domain and utilizing a Red Hat idM server, or a local system mapping, where the system is not part of a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000187Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example: + + [certmap/testing.test/rule_name] + matchrule =<SAN>.*EDIPI@mil + maprule = (userCertificate;binary={cert!bin}) +-dmains = testing.test ++domains = testing.test + + The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: + +-$ sudo systemctl restart sssd.serviceVerify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: ++$ sudo systemctl restart sssd.serviceVerify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: + + $ sudo cat /etc/sssd/sssd.conf + +@@ -4429,31 +4416,31 @@ overflow_action = syslog + + If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. + +-If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030710RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +- +-Off-loading is a common process in information systems with limited audit storage capacity. +- +-RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. +- ++If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030710RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. ++ + Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001851Configure the operating system to encrypt off-loaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": + + $DefaultNetstreamDriver gtls +-$ActionSendStreamDriverMode 1Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands: +- +-$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +- +-/etc/rsyslog.conf:$DefaultNetstreamDriver gtls +- +-If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. +- +-$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +- +-/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 +- +-If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. +- +-If either of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +- ++$ActionSendStreamDriverMode 1Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands: ++ ++$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf ++ ++/etc/rsyslog.conf:$DefaultNetstreamDriver gtls ++ ++If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. ++ ++$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf ++ ++/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 ++ ++If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. ++ ++If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. ++ + If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030720RHEL 8 must authenticate the remote logging server for off-loading audit logs.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. +@@ -4585,7 +4572,7 @@ $ sudo yum remove sendmailSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040004RHEL 8 must enable mitigations against processor-based vulnerabilities.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If the sendmail package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040004RHEL 8 must enable mitigations against processor-based vulnerabilities.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +@@ -4599,7 +4586,7 @@ $ sudo grubby --update-kernel=ALL --args="pti=on" + + Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: + +-GRUB_CMDLINE_LINUX="pti=on"Verify RHEL 8 enables kernel page-table isolation with the following commands: ++GRUB_CMDLINE_LINUX="pti=on"Verify RHEL 8 enables kernel page-table isolation with the following commands: + + $ sudo grub2-editenv list | grep pti + +@@ -4609,7 +4596,7 @@ If the "pti" entry does not equal "on", is missing, or the line is commented out + + Check that kernel page-table isolation is enabled by default to persist in kernel updates: + +-$ sudo grep audit /etc/default/grub ++$ sudo grep pti /etc/default/grub + + GRUB_CMDLINE_LINUX="pti=on" + +@@ -5451,7 +5438,7 @@ If the account is associated with system commands or applications, the UID shoul + + $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd + +-If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5459,17 +5446,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5483,13 +5468,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0 + + If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + +@@ -5499,17 +5484,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.all.send_redirects=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -5523,13 +5506,13 @@ If the returned line does not have a value of "0", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0 + + If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +@@ -5538,17 +5521,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.icmp_echo_ignore_broadcasts=1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. ++$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -5562,13 +5543,13 @@ If the returned line does not have a value of "1", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1 + + If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5576,17 +5557,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5600,13 +5579,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0 + + If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5614,17 +5593,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets by default. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets by default. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5638,13 +5615,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.default.accept_source_route /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0 + + If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5652,17 +5629,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.forwarding=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5676,13 +5651,13 @@ If the IPv6 forwarding value is not "0" and is not documented with the Informati + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.all.forwarding /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0 + + If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + An illicit router advertisement message could result in a man-in-the-middle attack. + +@@ -5692,17 +5667,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_ra=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is not applicable. + +@@ -5716,13 +5689,13 @@ If the "accept_ra" value is not "0" and is not documented with the Information S + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.all.accept_ra /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0 + + If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + An illicit router advertisement message could result in a man-in-the-middle attack. + +@@ -5732,17 +5705,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_ra=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is not applicable. + +@@ -5756,13 +5727,13 @@ If the "accept_ra" value is not "0" and is not documented with the Information S + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.default.accept_ra /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0 + + If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + +@@ -5772,17 +5743,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.default.send_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. ++$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -5796,13 +5765,13 @@ If the returned line does not have a value of "0", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0 + + If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5810,17 +5779,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv6 ICMP redirect messages. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv6 ICMP redirect messages. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5834,13 +5801,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv6.conf.all.accept_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0 + + If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5848,15 +5815,13 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.unprivileged_bpf_disabled = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: + + $ sudo sysctl kernel.unprivileged_bpf_disabled + +@@ -5866,13 +5831,13 @@ If the returned line does not have a value of "1", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r kernel.unprivileged_bpf_disabled /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1 + + If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5880,15 +5845,13 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.yama.ptrace_scope = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: + + $ sudo sysctl kernel.yama.ptrace_scope + +@@ -5898,13 +5861,13 @@ If the returned line does not have a value of "1", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r kernel.yama.ptrace_scope /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1 + + If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5912,15 +5875,13 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.kptr_restrict = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: + + $ sudo sysctl kernel.kptr_restrict + +@@ -5930,13 +5891,13 @@ If the returned line does not have a value of "1", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r kernel.kptr_restrict /etc/sysctl.d/*.conf ++$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 + + If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5944,9 +5905,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + + Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +@@ -5954,7 +5913,7 @@ user.max_user_namespaces = 0 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: + + Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +@@ -5966,13 +5925,13 @@ If the returned line does not have a value of "0", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r user.max_user_namespaces /etc/sysctl.d/*.conf ++$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 + + If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5980,15 +5939,13 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + + net.ipv4.conf.all.rp_filter = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: + + $ sudo sysctl net.ipv4.conf.all.rp_filter + +@@ -5998,13 +5955,13 @@ If the returned line does not have a value of "1", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 + + If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: + + $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. + +@@ -6630,7 +6587,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p + + $ sudo grep -i nullok /etc/pam.d/password-auth + +-If output is produced, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030181RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. ++If output is produced, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030181RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + + Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +@@ -6640,9 +6597,9 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO + + $ sudo systemctl enable auditd.service + +-$ sudo systemctl start auditd.serviceVerify the audit service is configured to produce audit records with the following command: ++$ sudo systemctl start auditd.serviceVerify the audit service is configured to produce audit records with the following command: + +-$ sudo systemctl status auditd.service. ++$ sudo systemctl status auditd.service + + auditd.service - Security Auditing Service + Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) +@@ -6778,7 +6735,7 @@ $ sudo yum list installed openssh-server + + openssh-server.x86_64 8.0p1-5.el8 @anaconda + +-If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6786,17 +6743,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.default.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -6810,13 +6765,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0 + + If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6824,17 +6779,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets. + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets. +- +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.all.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -6848,13 +6801,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0 + + If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6862,17 +6815,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets by default. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets by default. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.default.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -6886,13 +6837,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0 + + If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6900,17 +6851,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv4 ICMP redirect messages. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv4 ICMP redirect messages. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.all.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -6924,13 +6873,13 @@ If the returned line does not have a value of "0", a line is not returned, or th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0 + + If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. + +@@ -6940,15 +6889,13 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: + + net.core.bpf_jit_harden = 2 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: + + $ sudo sysctl net.core.bpf_jit_harden + +@@ -6958,13 +6905,13 @@ If the returned line does not have a value of "2", or a line is not returned, th + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.core.bpf_jit_harden /etc/sysctl.d/*.conf ++$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2 + + If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. ++If results are returned from more than one file location, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Procedure: + Check that the following package has been installed: +@@ -7038,7 +6985,7 @@ $ sudo ls -Zd /var/log/faillock + + unconfined_u:object_r:faillog_t:s0 /var/log/faillock + +-If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -7046,17 +6993,15 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router. ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.all.forwarding=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. + + Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + +@@ -7069,13 +7014,13 @@ If the IPv4 forwarding value is not "0" and is not documented with the Informati + + Check that the configuration files are present to enable this network parameter. + +-$ sudo grep -r net.ipv4.conf.all.forwarding /etc/sysctl.d/*.conf ++$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0 + + If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. + +-If the configuration file does not begin with "99-", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: ++If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: + + Perform a password reset: + $ sudo passwd [username] + +From b1e14f5035a539b0539d417606232a42ad194a9d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 2 May 2022 10:24:54 +0200 +Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R5 + +The V1R5 SCAP content is aligned with the V1R6 manual benchmark. +--- + ...ml => disa-stig-rhel8-v1r5-xccdf-scap.xml} | 2050 +++++++++++------ + 1 file changed, 1294 insertions(+), 756 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r4-xccdf-scap.xml => disa-stig-rhel8-v1r5-xccdf-scap.xml} (92%) + +diff --git a/shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +similarity index 92% +rename from shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml +rename to shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +index 24c8f3e51a8..1bd2fb7b659 100644 +--- a/shared/references/disa-stig-rhel8-v1r4-xccdf-scap.xml ++++ b/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +@@ -1,36 +1,36 @@ + +- +- ++ ++ + +- ++ + +- ++ + + + + +- ++ + +- ++ + + + + +- +- ++ ++ + + +- ++ + + + Red Hat Enterprise Linux 8 +- oval:mil.disa.stig.rhel8:def:1 ++ oval:mil.disa.stig.rhel8:def:1 + + + +- ++ + +- accepted ++ accepted + Red Hat Enterprise Linux 8 Security Technical Implementation Guide + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + +@@ -40,11 +40,11 @@ + DISA + STIG.DOD.MIL + +- Release: 1.4 Benchmark Date: 27 Jan 2022 +- 3.2.2.36079 ++ Release: 1.5 Benchmark Date: 27 Apr 2022 ++ 3.3.0.27375 + 1.10.0 + +- 001.004 ++ 001.005 + + DISA + DISA +@@ -88,6 +88,7 @@ + + + ++ + + + +@@ -280,6 +281,10 @@ + + + ++ ++ ++ ++ + + + I - Mission Critical Public +@@ -318,6 +323,7 @@ + + + ++ + + + +@@ -510,6 +516,10 @@ + + + ++ ++ ++ ++ + + + I - Mission Critical Sensitive +@@ -548,6 +558,7 @@ + + + ++ + + + +@@ -740,6 +751,10 @@ + + + ++ ++ ++ ++ + + + II - Mission Support Classified +@@ -778,6 +793,7 @@ + + + ++ + + + +@@ -970,6 +986,10 @@ + + + ++ ++ ++ ++ + + + II - Mission Support Public +@@ -1008,6 +1028,7 @@ + + + ++ + + + +@@ -1200,6 +1221,10 @@ + + + ++ ++ ++ ++ + + + II - Mission Support Sensitive +@@ -1238,6 +1263,7 @@ + + + ++ + + + +@@ -1430,6 +1456,10 @@ + + + ++ ++ ++ ++ + + + III - Administrative Classified +@@ -1468,6 +1498,7 @@ + + + ++ + + + +@@ -1660,6 +1691,10 @@ + + + ++ ++ ++ ++ + + + III - Administrative Public +@@ -1698,6 +1733,7 @@ + + + ++ + + + +@@ -1890,6 +1926,10 @@ + + + ++ ++ ++ ++ + + + III - Administrative Sensitive +@@ -1928,6 +1968,7 @@ + + + ++ + + + +@@ -2120,6 +2161,10 @@ + + + ++ ++ ++ ++ + + + CAT I Only +@@ -2144,14 +2189,15 @@ + + + +- +- +- +- +- ++ ++ ++ ++ ++ + + + ++ + + + +@@ -2171,7 +2217,7 @@ + + + +- ++ + + + +@@ -2309,21 +2355,21 @@ + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -2335,6 +2381,7 @@ + + + ++ + + + SRG-OS-000480-GPOS-00227 +@@ -2356,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L + Upgrade to a supported version of RHEL 8. + + +- ++ + + + +@@ -2392,7 +2439,7 @@ $ sudo fips-mode-setup --enable + Reboot the system for the changes to take effect. + + +- ++ + + + +@@ -2422,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M + ENCRYPT_METHOD SHA512 + + +- ++ + + + +@@ -2446,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth + Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. + + +- ++ + + + +@@ -2474,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ + SHA_CRYPT_MIN_ROUNDS 5000 + + +- ++ + + + +@@ -2502,7 +2549,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2530,7 +2577,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2554,7 +2601,7 @@ Confirm password: + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + + +- ++ + + + +@@ -2584,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include + password sufficient pam_unix.so sha512 + + +- ++ + + + +@@ -2614,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + Remove any files with the .keytab extension from the operating system. + + +- ++ + + + +@@ -2644,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-workstation + + +- ++ + + + +@@ -2670,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o + $ sudo yum install policycoreutils + + +- ++ + + + +@@ -2706,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -2732,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0640 /var/log/messages + + +- ++ + + + +@@ -2758,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log/messages + + +- ++ + + + +@@ -2784,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log/messages + + +- ++ + + + +@@ -2810,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0755 /var/log + + +- ++ + + + +@@ -2836,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log + + +- ++ + + + +@@ -2862,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log + + +- ++ + + + +@@ -2892,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -2930,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -2958,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod + $ sudo chmod 755 [FILE] + + +- ++ + + + +@@ -2986,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o + $ sudo chown root [FILE] + + +- ++ + + + +@@ -3014,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g + $ sudo chgrp root [FILE] + + +- ++ + + + +@@ -3042,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i + gpgcheck=1 + + +- ++ + + + +@@ -3072,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: + localpkg_gpgcheck=True + + +- ++ + + + + + SRG-OS-000366-GPOS-00153 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010372 + RHEL 8 must prevent the loading of a new kernel for later execution. + <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +@@ -3092,8 +3139,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -3102,25 +3148,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-001749 +- Configure the operating system to disable kernel image loading. ++ Configure the operating system to disable kernel image loading. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.kexec_load_disabled = 1 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010373 + RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3137,8 +3183,6 @@ The sysctl --system command will load settings from all system configuration fil + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. +- + Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 +@@ -3148,25 +3192,25 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO + 2921 + + CCI-002165 +- Configure the operating system to enable DAC on symlinks. ++ Configure the operating system to enable DAC on symlinks. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + fs.protected_symlinks = 1 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010374 + RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3183,8 +3227,6 @@ The sysctl --system command will load settings from all system configuration fil + /lib/sysctl.d/*.conf + /etc/sysctl.conf + +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. +- + Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 +@@ -3194,25 +3236,25 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO + 2921 + + CCI-002165 +- Configure the operating system to enable DAC on hardlinks. ++ Configure the operating system to enable DAC on hardlinks. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + fs.protected_hardlinks = 1 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010375 + RHEL 8 must restrict access to the kernel message buffer. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3229,9 +3271,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -3240,25 +3280,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-001090 +- Configure the operating system to restrict access to the kernel message buffer. ++ Configure the operating system to restrict access to the kernel message buffer. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.dmesg_restrict = 1 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010376 + RHEL 8 must prevent kernel profiling by unprivileged users. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3275,9 +3315,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -3286,18 +3324,18 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-001090 +- Configure the operating system to prevent kernel profiling by unprivileged users. ++ Configure the operating system to prevent kernel profiling by unprivileged users. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.perf_event_paranoid = 2 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + +@@ -3323,7 +3361,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + + +- ++ + + + +@@ -3349,7 +3387,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + + +- ++ + + + +@@ -3381,7 +3419,47 @@ This requirement only applies to components where this is specific to the functi + $ sudo yum install openssl-pkcs11 + + +- ++ ++ ++ ++ ++ ++ SRG-OS-000433-GPOS-00193 ++ <GroupDescription></GroupDescription> ++ ++ RHEL-08-010430 ++ RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. ++ <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. ++ ++Examples of attacks are buffer overflow attacks. ++ ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. ++/etc/sysctl.d/*.conf ++/run/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf ++/lib/sysctl.d/*.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++ ++ DPMS Target Red Hat Enterprise Linux 8 ++ DISA ++ DPMS Target ++ Red Hat Enterprise Linux 8 ++ 2921 ++ ++ CCI-002824 ++ Configure the operating system to implement virtual address space randomization. ++ ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: ++ ++kernel.randomize_va_space=2 ++ ++Issue the following command to make the changes take effect: ++ ++$ sudo sysctl --system ++ ++ ++ + + + +@@ -3407,7 +3485,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con + clean_requirements_on_remove=True + + +- ++ + + + +@@ -3437,7 +3515,7 @@ SELINUXTYPE=targeted + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -3461,7 +3539,7 @@ A reboot is required for the changes to take effect. + $ sudo rm /etc/ssh/shosts.equiv + + +- ++ + + + +@@ -3485,7 +3563,7 @@ $ sudo rm /etc/ssh/shosts.equiv + $ sudo rm /[path]/[to]/[file]/.shosts + + +- ++ + + + +@@ -3513,7 +3591,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3541,7 +3619,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3569,7 +3647,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3595,7 +3673,7 @@ Compression no + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -3625,7 +3703,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3655,7 +3733,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3677,7 +3755,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var" path onto a separate file system. + + +- ++ + + + +@@ -3699,7 +3777,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var/log" path onto a separate file system. + + +- ++ + + + +@@ -3721,7 +3799,7 @@ $ sudo systemctl restart sshd.service + Migrate the system audit data path onto a separate file system. + + +- ++ + + + +@@ -3743,7 +3821,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/tmp" directory onto a separate file system/partition. + + +- ++ + + + +@@ -3773,7 +3851,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3801,7 +3879,7 @@ $ sudo systemctl start rsyslog.service + $ sudo systemctl enable rsyslog.service + + +- ++ + + + +@@ -3823,7 +3901,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. + + +- ++ + + + +@@ -3845,7 +3923,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. + + +- ++ + + + +@@ -3867,7 +3945,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3889,7 +3967,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3911,14 +3989,14 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010671 + RHEL 8 must disable the kernel.core_pattern. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -3929,9 +4007,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -3940,18 +4016,18 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to disable storing core dumps. ++ Configure RHEL 8 to disable storing core dumps. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + kernel.core_pattern = |/bin/false + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + +@@ -3979,7 +4055,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard core 0 + + +- ++ + + + +@@ -4007,7 +4083,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + Storage=none + + +- ++ + + + +@@ -4035,7 +4111,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + ProcessSizeMax=0 + + +- ++ + + + +@@ -4059,7 +4135,7 @@ ProcessSizeMax=0 + CREATE_HOME yes + + +- ++ + + + +@@ -4089,7 +4165,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -4127,7 +4203,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4159,7 +4235,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + deny = 3 + + +- ++ + + + +@@ -4197,7 +4273,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4229,7 +4305,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + fail_interval = 900 + + +- ++ + + + +@@ -4267,7 +4343,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4299,7 +4375,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + unlock_time = 0 + + +- ++ + + + +@@ -4337,7 +4413,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4369,7 +4445,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + silent + + +- ++ + + + +@@ -4409,7 +4485,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4441,7 +4517,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + audit + + +- ++ + + + +@@ -4481,7 +4557,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4513,7 +4589,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + even_deny_root + + +- ++ + + + +@@ -4541,7 +4617,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard maxlogins 10 + + +- ++ + + + +@@ -4573,7 +4649,7 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: + set -g lock-command vlock + + +- ++ + + + +@@ -4609,7 +4685,7 @@ fi + This setting will take effect at next logon. + + +- ++ + + + +@@ -4637,7 +4713,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion + Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. + + +- ++ + + + +@@ -4667,7 +4743,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin + password required pam_pwquality.so + + +- ++ + + + +@@ -4697,7 +4773,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ucredit = -1 + + +- ++ + + + +@@ -4727,7 +4803,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + lcredit = -1 + + +- ++ + + + +@@ -4757,7 +4833,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + dcredit = -1 + + +- ++ + + + +@@ -4787,7 +4863,7 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin + maxclassrepeat = 4 + + +- ++ + + + +@@ -4817,7 +4893,7 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + maxrepeat = 3 + + +- ++ + + + +@@ -4847,7 +4923,7 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + minclass = 4 + + +- ++ + + + +@@ -4877,7 +4953,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + difok = 8 + + +- ++ + + + +@@ -4901,7 +4977,7 @@ difok = 8 + $ sudo chage -m 1 [user] + + +- ++ + + + +@@ -4927,7 +5003,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ + PASS_MIN_DAYS 1 + + +- ++ + + + +@@ -4953,7 +5029,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MAX_DAYS 60 + + +- ++ + + + +@@ -4977,7 +5053,7 @@ PASS_MAX_DAYS 60 + $ sudo chage -M 60 [user] + + +- ++ + + + +@@ -5009,7 +5085,7 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have + password required pam_pwhistory.so use_authtok remember=5 retry=3 + + +- ++ + + + +@@ -5043,7 +5119,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + minlen = 15 + + +- ++ + + + +@@ -5073,7 +5149,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MIN_LEN 15 + + +- ++ + + + +@@ -5103,7 +5179,7 @@ $ sudo useradd -D -f 35 + DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. + + +- ++ + + + +@@ -5133,7 +5209,7 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ocredit = -1 + + +- ++ + + + +@@ -5159,7 +5235,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a + dictcheck=1 + + +- ++ + + + +@@ -5187,7 +5263,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr + FAIL_DELAY 4 + + +- ++ + + + +@@ -5215,7 +5291,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -5243,7 +5319,7 @@ PrintLastLog yes + The SSH service must be restarted for changes to "sshd_config" to take effect. + + +- ++ + + + +@@ -5269,7 +5345,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 + UMASK 077 + + +- ++ + + + +@@ -5303,7 +5379,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5333,7 +5409,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator + action_mail_acct = root + + +- ++ + + + +@@ -5365,7 +5441,7 @@ disk_error_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". + + +- ++ + + + +@@ -5399,7 +5475,7 @@ disk_full_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". + + +- ++ + + + +@@ -5427,7 +5503,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: + local_events = yes + + +- ++ + + + +@@ -5459,7 +5535,7 @@ name_format = hostname + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5489,7 +5565,7 @@ log_format = ENRICHED + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5517,7 +5593,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5547,7 +5623,7 @@ $ sudo chown root [audit_log_file] + Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". + + +- ++ + + + +@@ -5575,7 +5651,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5605,7 +5681,7 @@ $ sudo chown root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5635,7 +5711,7 @@ $ sudo chgrp root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5665,7 +5741,7 @@ $ sudo chmod 0700 [audit_log_directory] + Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". + + +- ++ + + + +@@ -5697,7 +5773,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. + + +- ++ + + + +@@ -5727,7 +5803,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + --loginuid-immutable + + +- ++ + + + +@@ -5759,7 +5835,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5791,7 +5867,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5823,7 +5899,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5855,7 +5931,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5887,7 +5963,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5919,7 +5995,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5951,7 +6027,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5983,7 +6059,7 @@ Install the audit service (if the audit service is not already installed) with t + $ sudo yum install audit + + +- ++ + + + +@@ -6015,7 +6091,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6060,7 +6136,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6092,7 +6168,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6124,7 +6200,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6156,7 +6232,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6188,7 +6264,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6220,7 +6296,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6252,7 +6328,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6285,7 +6361,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6317,7 +6393,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6349,7 +6425,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6381,7 +6457,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6413,7 +6489,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6445,7 +6521,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6477,7 +6553,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6509,7 +6585,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6541,7 +6617,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6573,7 +6649,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6605,7 +6681,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6637,7 +6713,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6669,7 +6745,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6704,7 +6780,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6744,7 +6820,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6776,7 +6852,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6809,7 +6885,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6841,7 +6917,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6873,7 +6949,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6916,7 +6992,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6955,7 +7031,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6993,7 +7069,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7025,7 +7101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7057,7 +7133,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7089,7 +7165,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7131,7 +7207,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7173,7 +7249,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7199,7 +7275,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules + $ sudo chmod 0640 /etc/audit/auditd.conf + + +- ++ + + + +@@ -7229,7 +7305,7 @@ $ sudo chmod 0755 [audit_tool] + Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. + + +- ++ + + + +@@ -7261,7 +7337,7 @@ $ sudo chown root [audit_tool] + Replace "[audit_tool]" with each audit tool not owned by "root". + + +- ++ + + + +@@ -7293,7 +7369,7 @@ $ sudo chgrp root [audit_tool] + Replace "[audit_tool]" with each audit tool not group-owned by "root". + + +- ++ + + + +@@ -7328,7 +7404,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog + + +- ++ + + + +@@ -7363,7 +7439,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog-gnutls + + +- ++ + + + +@@ -7395,7 +7471,7 @@ overflow_action = syslog + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -7421,7 +7497,7 @@ space_left = 25% + Note: Option names and values in the auditd.conf file are case insensitive. + + +- ++ + + + +@@ -7451,7 +7527,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + port 0 + + +- ++ + + + +@@ -7481,7 +7557,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + cmdport 0 + + +- ++ + + + +@@ -7515,7 +7591,7 @@ If a privileged user were to log on using this service, the privileged user pass + $ sudo yum remove telnet-server + + +- ++ + + + +@@ -7545,7 +7621,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove abrt* + + +- ++ + + + +@@ -7575,7 +7651,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove sendmail + + +- ++ + + + +@@ -7607,7 +7683,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion + $ sudo yum remove rsh-server + + +- ++ + + + +@@ -7640,7 +7716,7 @@ blacklist atm + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7673,7 +7749,7 @@ blacklist can + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7706,7 +7782,7 @@ blacklist sctp + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7739,7 +7815,7 @@ blacklist tipc + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7772,7 +7848,7 @@ blacklist cramfs + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7803,7 +7879,7 @@ blacklist firewire-core + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7834,7 +7910,7 @@ blacklist usb-storage + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7866,7 +7942,7 @@ install bluetooth /bin/true + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7896,7 +7972,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -7924,7 +8000,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -7954,7 +8030,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -7984,7 +8060,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8012,7 +8088,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8042,7 +8118,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8072,7 +8148,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8102,7 +8178,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8132,7 +8208,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8162,7 +8238,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8192,7 +8268,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8222,7 +8298,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8252,7 +8328,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8282,7 +8358,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8312,7 +8388,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8342,7 +8418,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO + $ sudo systemctl enable sshd.service + + +- ++ + + + +@@ -8378,7 +8454,7 @@ Restart the SSH daemon for the settings to take effect. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -8406,7 +8482,7 @@ Reload the daemon for this change to take effect. + $ sudo systemctl daemon-reload + + +- ++ + + + +@@ -8430,7 +8506,7 @@ $ sudo systemctl daemon-reload + $ sudo yum remove tftp-server + + +- ++ + + + +@@ -8454,14 +8530,14 @@ $ sudo yum remove tftp-server + If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040210 + RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8472,9 +8548,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8483,25 +8557,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted. ++ Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040220 + RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8514,9 +8588,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8525,25 +8597,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects. ++ Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.all.send_redirects=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040230 + RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. + <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. +@@ -8555,9 +8627,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8566,25 +8636,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address. ++ Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.icmp_echo_ignore_broadcasts=1 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040240 + RHEL 8 must not forward IPv6 source-routed packets. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8595,9 +8665,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8606,25 +8674,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not forward IPv6 source-routed packets. ++ Configure RHEL 8 to not forward IPv6 source-routed packets. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_source_route=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040250 + RHEL 8 must not forward IPv6 source-routed packets by default. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8635,9 +8703,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8646,25 +8712,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not forward IPv6 source-routed packets by default. ++ Configure RHEL 8 to not forward IPv6 source-routed packets by default. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_source_route=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040260 + RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8675,9 +8741,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8686,25 +8750,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router. ++ Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.forwarding=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040261 + RHEL 8 must not accept router advertisements on all IPv6 interfaces. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8717,9 +8781,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8728,25 +8790,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router. ++ Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_ra=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040262 + RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8759,9 +8821,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8770,25 +8830,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. ++ Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.default.accept_ra=0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040270 + RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8801,9 +8861,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8812,25 +8870,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. ++ Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv4.conf.default.send_redirects = 0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040280 + RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8841,9 +8899,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8852,25 +8908,25 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to ignore IPv6 ICMP redirect messages. ++ Configure RHEL 8 to ignore IPv6 ICMP redirect messages. + +-Add or edit the following line in a system configuration file, which begins with "99-", in the "/etc/sysctl.d/" directory: ++Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: + + net.ipv6.conf.all.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040281 + RHEL 8 must disable access to network bpf syscall from unprivileged processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8881,9 +8937,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8892,23 +8946,23 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++ Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.unprivileged_bpf_disabled = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040282 + RHEL 8 must restrict usage of ptrace to descendant processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8919,9 +8973,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8930,23 +8982,23 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++ Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.yama.ptrace_scope = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040283 + RHEL 8 must restrict exposed kernel pointer addresses access. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8957,9 +9009,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -8968,23 +9018,23 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++ Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the "/etc/sysctl.d" directory: + + kernel.kptr_restrict = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040284 + RHEL 8 must disable the use of user namespaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8995,9 +9045,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -9006,7 +9054,7 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++ Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + + Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +@@ -9015,16 +9063,16 @@ user.max_user_namespaces = 0 + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040285 + RHEL 8 must use reverse path filtering on all IPv4 interfaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9035,9 +9083,7 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA +@@ -9046,16 +9092,16 @@ Based on the information above, if a configuration file that begins with "99-" i + 2921 + + CCI-000366 +- Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, which begins with "99-", in the "/etc/sysctl.d" directory: ++ Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory: + + net.ipv4.conf.all.rp_filter = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + + $ sudo sysctl --system +- ++ + +- ++ + + + +@@ -9079,7 +9125,7 @@ $ sudo sysctl --system + $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' + + +- ++ + + + +@@ -9111,7 +9157,7 @@ The SSH service must be restarted for changes to take effect: + $ sudo systemctl restart sshd + + +- ++ + + + +@@ -9137,7 +9183,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us + X11UseLocalhost yes + + +- ++ + + + +@@ -9161,7 +9207,7 @@ X11UseLocalhost yes + server_args = -s /var/lib/tftpboot + + +- ++ + + + +@@ -9185,7 +9231,7 @@ server_args = -s /var/lib/tftpboot + $ sudo yum remove vsftpd + + +- ++ + + + +@@ -9213,7 +9259,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose + $ sudo yum remove gssproxy + + +- ++ + + + +@@ -9241,7 +9287,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI + $ sudo yum remove iprutils + + +- ++ + + + +@@ -9269,7 +9315,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. + $ sudo yum remove tuned + + +- ++ + + + +@@ -9299,7 +9345,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-server + + +- ++ + + + +@@ -9323,7 +9369,7 @@ ALL ALL=(ALL) ALL + ALL ALL=(ALL:ALL) ALL + + +- ++ + + + +@@ -9349,7 +9395,7 @@ Defaults !rootpw + Defaults !runaspw + + +- ++ + + + +@@ -9381,20 +9427,146 @@ Defaults timestamp_timeout=[value] + Note: The "[value]" must be a number that is greater than or equal to "0". + + +- ++ ++ ++ ++ ++ ++ SRG-OS-000480-GPOS-00227 ++ <GroupDescription></GroupDescription> ++ ++ RHEL-08-020331 ++ RHEL 8 must not allow blank or null passwords in the system-auth file. ++ <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++ ++ DPMS Target Red Hat Enterprise Linux 8 ++ DISA ++ DPMS Target ++ Red Hat Enterprise Linux 8 ++ 2921 ++ ++ CCI-000366 ++ Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords. ++ ++Note: Manual changes to the listed file may be overwritten by the "authselect" program. ++ ++ ++ ++ ++ ++ ++ ++ SRG-OS-000480-GPOS-00227 ++ <GroupDescription></GroupDescription> ++ ++ RHEL-08-020332 ++ RHEL 8 must not allow blank or null passwords in the password-auth file. ++ <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++ ++ DPMS Target Red Hat Enterprise Linux 8 ++ DISA ++ DPMS Target ++ Red Hat Enterprise Linux 8 ++ 2921 ++ ++ CCI-000366 ++ Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords. ++ ++Note: Manual changes to the listed file may be overwritten by the "authselect" program. ++ ++ ++ ++ ++ ++ ++ ++ SRG-OS-000480-GPOS-00227 ++ <GroupDescription></GroupDescription> ++ ++ RHEL-08-040286 ++ RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. ++ <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ ++Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. ++ ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. ++/etc/sysctl.d/*.conf ++/run/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf ++/lib/sysctl.d/*.conf ++/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++ ++ DPMS Target Red Hat Enterprise Linux 8 ++ DISA ++ DPMS Target ++ Red Hat Enterprise Linux 8 ++ 2921 ++ ++ CCI-000366 ++ Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: ++ ++net.core.bpf_jit_harden = 2 ++ ++The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: ++ ++$ sudo sysctl --system ++ ++ ++ ++ ++ ++ ++ ++ SRG-OS-000480-GPOS-00227 ++ <GroupDescription></GroupDescription> ++ ++ RHEL-08-010121 ++ The RHEL 8 operating system must not have accounts configured with blank or null passwords. ++ <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> ++ ++ DPMS Target Red Hat Enterprise Linux 8 ++ DISA ++ DPMS Target ++ Red Hat Enterprise Linux 8 ++ 2921 ++ ++ CCI-000366 ++ Configure all accounts on the system to have a password or lock the account with the following commands: ++ ++Perform a password reset: ++$ sudo passwd [username] ++Lock an account: ++$ sudo passwd -l [username] ++ ++ ++ + + + + + +- ++ + + + repotool + 5.10 +- 2022-01-03T11:44:33 ++ 2022-03-28T12:45:12 + + ++ ++ ++ The RHEL 8 version is RHEL 8.2 or newer. ++ ++ Red Hat Enterprise Linux 8 ++ ++ External definition used to determine if the RHEL 8 version is RHEL 8.2 or newer for version applicability based requirements. ++ ++ ++ ++ ++ ++ + + + IPv6 is disabled in the kernel. +@@ -9835,29 +10007,30 @@ Verifying the authenticity of the software prior to installation validates the i + + + +- ++ + + RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution. + + Red Hat Enterprise Linux 8 + + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++ + Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. ++ + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + + +- ++ + + RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. + +@@ -9874,16 +10047,14 @@ The sysctl --system command will load settings from all system configuration fil + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. + +@@ -9901,16 +10072,14 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer. + +@@ -9929,16 +10098,14 @@ The sysctl --system command will load settings from all system configuration fil + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users. + +@@ -9958,13 +10125,11 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + +- ++ + + + +@@ -10017,6 +10182,29 @@ This requirement only applies to components where this is specific to the functi + + + ++ ++ ++ RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. ++ ++ Red Hat Enterprise Linux 8 ++ ++ Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. ++ ++Examples of attacks are buffer overflow attacks. ++ ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. ++/etc/sysctl.d/*.conf ++/run/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf ++/lib/sysctl.d/*.conf ++/etc/sysctl.conf ++ ++ ++ ++ ++ ++ + + + RHEL-08-010440 - YUM must remove all software components after updated versions have been installed on RHEL 8. +@@ -10308,7 +10496,7 @@ Configuration settings are the set of parameters that can be changed in hardware + + + +- ++ + + RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern. + +@@ -10322,16 +10510,14 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-010673 - RHEL 8 must disable core dumps for all users. + +@@ -10341,7 +10527,7 @@ Based on the information above, if a configuration file that begins with "99-" i + + A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +- ++ + + + +@@ -10399,7 +10585,7 @@ A core dump includes a memory image taken at the time the operating system termi + + + +- ++ + + RHEL-08-020010 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. + +@@ -10412,7 +10598,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -10438,7 +10624,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo + + + +- ++ + + RHEL-08-020012 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. + +@@ -10451,7 +10637,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -10475,7 +10661,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo + + + +- ++ + + RHEL-08-020014 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. + +@@ -10488,7 +10674,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -10514,7 +10700,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo + + + +- ++ + + RHEL-08-020018 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. + +@@ -10527,7 +10713,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -10551,7 +10737,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo + + + +- ++ + + RHEL-08-020020 - RHEL 8 must log user name information when unsuccessful logon attempts occur. + +@@ -10564,7 +10750,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -10588,7 +10774,7 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo + + + +- ++ + + RHEL-08-020022 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. + +@@ -10601,7 +10787,7 @@ RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual chan + From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + + +- ++ + + + +@@ -12822,13 +13008,21 @@ Session key regeneration limits the chances of a session key becoming compromise + + + +- ++ + + RHEL-08-040210 - RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. + + Red Hat Enterprise Linux 8 + +- ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++ ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++ ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. ++/etc/sysctl.d/*.conf ++/run/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf ++/lib/sysctl.d/*.conf ++/etc/sysctl.conf + + + +@@ -12838,7 +13032,7 @@ Session key regeneration limits the chances of a session key becoming compromise + + + +- ++ + + RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. + +@@ -12854,16 +13048,14 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. + +@@ -12879,16 +13071,14 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + +- ++ + + +- ++ + + RHEL-08-040240 - RHEL 8 must not forward source-routed packets. + +@@ -12902,45 +13092,41 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + +- ++ + + + +- ++ + + RHEL-08-040250 - RHEL 8 must not forward source-routed packets by default. + + Red Hat Enterprise Linux 8 + + Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +- ++ + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + +- ++ + + + +- ++ + + RHEL-08-040260 - RHEL 8 must not be performing packet forwarding unless the system is a router. + +@@ -12954,19 +13140,17 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + +- ++ + + + +- ++ + + RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces. + +@@ -12982,19 +13166,17 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + +- ++ + + + +- ++ + + RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. + +@@ -13010,19 +13192,17 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + + + + +- ++ + + + +- ++ + + RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. + +@@ -13038,18 +13218,16 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + +- ++ + +- RHEL-08-040280 - RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. ++ RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + + Red Hat Enterprise Linux 8 + +@@ -13061,19 +13239,17 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + + +- ++ + +- +- ++ ++ + + + +- ++ + + RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes. + +@@ -13087,16 +13263,14 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + +- ++ + + RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. + +@@ -13110,38 +13284,35 @@ The sysctl --system command will load settings from all system configuration fil + /usr/local/lib/sysctl.d/*.conf + /usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file that begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configuration file on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + +- ++ + + RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access. + + Red Hat Enterprise Linux 8 + +- It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored. ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf +-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + +- ++ + + RHEL-08-040284 - RHEL 8 must disable the use of user namespaces. + +@@ -13149,21 +13320,20 @@ Based on the information above, if a configuration file begins with "99-" is cre + + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored. ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf +-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + +- ++ + + RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. + +@@ -13171,18 +13341,17 @@ Based on the information above, if a configuration file begins with "99-" is cre + + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +-The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a gien filename is loaded, any file of the same name in subsequent directories is ignored. ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf + /run/sysctl.d/*.conf +-/usr/local/lib/sysctl.d/*.conf/usr/lib/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf + /lib/sysctl.d/*.conf +-/etc/sysctl.conf +- +-Based on the information above, if a configuration file begins with "99-" is created in the "/etc/sysctl.d/" directory, it will take precedence over any other configurationfile on the system. ++/etc/sysctl.conf + +- +- +- ++ ++ ++ + + + +@@ -13395,38 +13564,101 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- +- +- +- +- +- +- ++ ++ ++ RHEL-08-020331 - RHEL 8 must not allow blank or null passwords in the system-auth file. ++ ++ Red Hat Enterprise Linux 8 ++ ++ If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ++ ++ ++ ++ ++ ++ ++ ++ RHEL-08-020332 - RHEL 8 must not allow blank or null passwords in the password-auth file. ++ ++ Red Hat Enterprise Linux 8 ++ ++ If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ++ ++ ++ ++ ++ ++ ++ ++ RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. ++ ++ Red Hat Enterprise Linux 8 ++ ++ It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ ++Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. ++ ++The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. ++/etc/sysctl.d/*.conf ++/run/sysctl.d/*.conf ++/usr/local/lib/sysctl.d/*.conf ++/usr/lib/sysctl.d/*.conf ++/lib/sysctl.d/*.conf ++/etc/sysctl.conf ++ ++ ++ ++ ++ ++ ++ ++ ++ RHEL-08-010121 - The RHEL 8 operating system must not have accounts configured with blank or null passwords. ++ ++ Red Hat Enterprise Linux 8 ++ ++ If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + + + + +- ++ + +- + +- + + + + + + +- ++ + +- + +- + + + +@@ -13589,40 +13821,40 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +@@ -13640,6 +13872,14 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -13756,15 +13996,17 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- ++ ++ + + +- +- ++ ++ ++ + +- +- ++ ++ ++ + + + +@@ -13827,10 +14069,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- + + + +@@ -13855,10 +14093,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- + + + +@@ -13873,10 +14107,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- + + + +@@ -13890,10 +14120,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- + + + +@@ -13907,10 +14133,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- +- +- + + + +@@ -14713,11 +14935,11 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- ++ + + + +- ++ + + + +@@ -14725,113 +14947,113 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + +- ++ + + + +- +- ++ ++ + + +- ++ + +- ++ + +- +- +- ++ ++ ++ + +- +- ++ ++ + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + +- ++ + + + +- +- ++ ++ + + +- ++ + + + +- +- ++ ++ + + +- ++ + +- ++ + +- +- +- ++ ++ ++ + + + +@@ -14900,17 +15122,34 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + + net.ipv6.conf.all.disable_ipv6 + +- ++ + /etc/sysctl.conf + (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$ + 1 + +- ++ + + \.conf$ + (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*(\d+)\s*$ +@@ -15089,48 +15328,104 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + kernel.kexec_load_disabled + +- ++ + /etc/sysctl.d +- ^99-.*\.conf$ ++ \.conf$ + (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.kexec_load_disabled\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:13201 ++ oval:mil.disa.stig.rhel8:obj:13202 ++ ++ + + fs.protected_symlinks + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ ++ \.conf$ + (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/sysctl.conf ++ (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:13301 ++ oval:mil.disa.stig.rhel8:obj:13302 ++ ++ + + fs.protected_hardlinks + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf + (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:13401 ++ oval:mil.disa.stig.rhel8:obj:13402 ++ ++ + + kernel.dmesg_restrict + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf + (?:^|\.*\n)\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:13501 ++ oval:mil.disa.stig.rhel8:obj:13502 ++ ++ + + kernel.perf_event_paranoid + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf + (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:13601 ++ oval:mil.disa.stig.rhel8:obj:13602 ++ ++ + + /etc/sudoers + ^(?!#).*\s+NOPASSWD.*$ +@@ -15156,6 +15451,26 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + openssl-pkcs11 + ++ ++ kernel.randomize_va_space ++ ++ ++ ++ \.conf$ ++ ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf ++ ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:14401 ++ oval:mil.disa.stig.rhel8:obj:14402 ++ ++ + + /etc/dnf/dnf.conf + ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$ +@@ -15295,23 +15610,57 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + kernel.core_pattern + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf + (?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+) + 1 + +- ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.core_pattern\s*=\s*(.+) ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:16801 ++ oval:mil.disa.stig.rhel8:obj:16802 ++ ++ ++ ++ /etc/security/limits.conf ++ ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$ ++ 1 ++ ++ ++ /etc/security/limits.d ++ \.conf$ ++ ^[ \t]*\*[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:16900 ++ oval:mil.disa.stig.rhel8:obj:16901 ++ ++ ++ + /etc/security/limits.conf +- ^[ \t]*\*[ \t]+hard[ \t]+core[ \t]+0[ \t]*(?:#.*)?$ ++ ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$ + 1 + +- ++ + /etc/security/limits.d + \.conf$ +- ^[ \t]*\*[ \t]+hard[ \t]+core[ \t]+0[ \t]*(?:#.*)?$ ++ ^[ \t]*[^#*\s]+[ \t]+(?:hard|soft|-)[ \t]+core[ \t]+(\d+)[ \t]*(?:#.*)?$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:16903 ++ oval:mil.disa.stig.rhel8:obj:16904 ++ ++ + + /etc/systemd/coredump.conf + ^\s*Storage\s*=\s*(\w*)\s*(?:#.*)?$ +@@ -15605,9 +15954,9 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + ^root:[^:]*:[^:]*:[^:]*:: + 1 + +- ++ + /etc/pam.d/password-auth +- ^\s*password\s+required\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b ++ ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b + 1 + + +@@ -16511,7 +16860,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + net.ipv6.conf.default.accept_redirects + +- ++ + /etc/sysctl.conf + (?:^|.*\n)\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$ + 1 +@@ -16531,129 +16880,283 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + net.ipv4.conf.all.send_redirects + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf + (?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ ^.*\.conf$ ++ (?:^|.*\n)\s*net.ipv4.conf.all.send_redirects\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:34901 ++ oval:mil.disa.stig.rhel8:obj:34902 ++ ++ + + net.ipv4.icmp_echo_ignore_broadcasts + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf ++ (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ ^.*\.conf$ + (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35001 ++ oval:mil.disa.stig.rhel8:obj:35002 ++ ++ ++ ++ ++ \.conf$ ++ (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35101 ++ oval:mil.disa.stig.rhel8:obj:35105 ++ ++ + + net.ipv6.conf.all.accept_source_route + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf + (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/sysctl.conf ++ (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35202 ++ oval:mil.disa.stig.rhel8:obj:35205 ++ ++ + + net.ipv6.conf.default.accept_source_route + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|.*\n)\s*net.ipv6.conf.default.accept_source_route\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf$ ++ (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ \.conf$ ++ (?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35301 ++ oval:mil.disa.stig.rhel8:obj:35305 ++ ++ + + net.ipv6.conf.all.forwarding + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|.*\n)\s*net.ipv6.conf.all.forwarding\s*=\s*(\d+)\s*$ ++ ++ /etc/sysctl.conf ++ (?:^|.*\n)\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ + 1 + + + net.ipv6.conf.all.accept_ra + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf ++ (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ \.conf$ + (?:^|\.*\n)\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35401 ++ oval:mil.disa.stig.rhel8:obj:35402 ++ ++ + + net.ipv6.conf.default.accept_ra + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf + (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35501 ++ oval:mil.disa.stig.rhel8:obj:35502 ++ ++ + + net.ipv4.conf.default.send_redirects + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|.*\n)\s*net.ipv4.conf.default.send_redirects\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf$ ++ ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf ++ ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$ + 1 + +- ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35601 ++ oval:mil.disa.stig.rhel8:obj:35602 ++ ++ ++ + net.ipv6.conf.all.accept_redirects + +- +- /etc/sysctl.d +- ^99-.*\.conf +- (?:^|.*\n)\s*net.ipv6.conf.all.accept_redirects\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf ++ (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/sysctl.conf ++ (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35701 ++ oval:mil.disa.stig.rhel8:obj:35702 ++ ++ + + kernel.unprivileged_bpf_disabled + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf + ^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35801 ++ oval:mil.disa.stig.rhel8:obj:35802 ++ ++ + + kernel.yama.ptrace_scope + +- +- /etc/sysctl.d +- ^99-.*\.conf$ ++ ++ /etc/sysctl.conf + ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ \.conf$ ++ (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:35901 ++ oval:mil.disa.stig.rhel8:obj:35902 ++ ++ + + kernel.kptr_restrict + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|.*\n)\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf$ ++ ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/sysctl.conf ++ ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:36001 ++ oval:mil.disa.stig.rhel8:obj:36002 ++ ++ + + user.max_user_namespaces + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|\.*\n)\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf$ ++ ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/sysctl.conf ++ ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:36101 ++ oval:mil.disa.stig.rhel8:obj:36102 ++ ++ + + net.ipv4.conf.all.rp_filter + +- +- /etc/sysctl.d +- ^99-.*\.conf$ +- (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ ++ ++ ++ \.conf$ ++ ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf ++ ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:36201 ++ oval:mil.disa.stig.rhel8:obj:36202 ++ ++ + + postfix + +@@ -16737,34 +17240,66 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + ^\s*Defaults\s+\!runaspw\s*$ + 1 + +- ++ + /etc/sudoers +- ^\s*Defaults\s+timestamp_timeout\=(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ + 1 + +- ++ + /etc/sudoers.d + ^.*$ +- ^\s*Defaults\s+timestamp_timeout\=(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ + 1 + ++ ++ /etc/pam.d/system-auth ++ \bnullok\b ++ 1 ++ ++ ++ /etc/pam.d/password-auth ++ \bnullok\b ++ 1 ++ ++ ++ net.core.bpf_jit_harden ++ ++ ++ ++ \.conf$ ++ ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ /etc/sysctl.conf ++ ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:47701 ++ oval:mil.disa.stig.rhel8:obj:47702 ++ ++ ++ ++ /etc/shadow ++ ^[^:]+::[^:]*:[^:]*: ++ 1 ++ + + ++ ++ 2 ++ + + 1 + + + 1 + +- +- 2 +- + + 4 + +- +- 5 +- + + 6 + +@@ -16902,6 +17437,12 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + 2 + ++ ++ 2 ++ ++ ++ 2 ++ + + targeted + +@@ -16951,6 +17492,9 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + ^\|\s*/bin/false\s*$ + ++ ++ 0 ++ + + 0 + +@@ -16981,9 +17525,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + 900 + +- +- 2 +- + + 0 + +@@ -16996,30 +17537,18 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + 0 + +- +- 2 +- + + 0 + + + 2 + +- +- 2 +- + + 2 + +- +- 2 +- + + 2 + +- +- 2 +- + + 2 + +@@ -17238,12 +17767,6 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + 0 + +- +- 0 +- +- +- 0 +- + + 0 + +@@ -17262,23 +17785,17 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + 1 + +- +- 1 ++ ++ 1 + +- +- 1 ++ ++ 1 + +- +- 0 ++ ++ 0 + +- +- 0 +- +- +- 1 +- +- +- 1 ++ ++ 0 + + + ^(no|"no")$ +@@ -17299,6 +17816,13 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + /usr/local/bin + /usr/local/sbin + ++ ++ /etc/sysctl.d ++ /run/sysctl.d ++ /lib/sysctl.d ++ /usr/lib/sysctl.d ++ /usr/local/lib/sysctl.d ++ + + /etc/sysctl.d + /run/sysctl.d +@@ -17355,15 +17879,29 @@ If the value is set to an integer less than 0, the user's time stamp will not ex + + + ++ ++ /etc/sysctl.d ++ /run/sysctl.d ++ /usr/local/lib/sysctl.d ++ /usr/lib/sysctl.d ++ /lib/sysctl.d ++ ++ ++ /etc/sysctl.d ++ /run/sysctl.d ++ /usr/local/lib/sysctl.d ++ /usr/lib/sysctl.d ++ /lib/sysctl.d ++ + + + +- ++ + + + repotool + 5.10 +- 2022-01-03T11:44:33 ++ 2022-03-28T12:45:12 + + + + +From 8c7ce4c14246cdf84f8a2c4eec3e236de34aa259 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 2 May 2022 10:36:44 +0200 +Subject: [PATCH 3/3] Update RHEL8 STIG to v1r6 + +--- + products/rhel8/profiles/stig.profile | 4 ++-- + products/rhel8/profiles/stig_gui.profile | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 499cf56ed7a..d74393de8ea 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V1R5 ++ version: V1R6 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux 8 V1R5. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R6. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile +index e612aaa1ca5..665bc1e059d 100644 +--- a/products/rhel8/profiles/stig_gui.profile ++++ b/products/rhel8/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V1R5 ++ version: V1R6 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 5db91ce..dd4c16c 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.60 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -65,6 +65,13 @@ Patch43: scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.p Patch44: scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch Patch45: scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch Patch46: scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch +Patch47: scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch +Patch48: scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch +Patch49: scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch +Patch50: scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch +Patch51: scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch +Patch52: scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch +Patch53: scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch BuildRequires: libxslt BuildRequires: expat @@ -169,6 +176,10 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Tue May 03 2022 Watson Sato - 0.1.60-8 +- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556) +- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556) + * Thu Feb 24 2022 Watson Sato - 0.1.60-7 - Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)