xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_anssi_bp28_high | OpenSCAP Evaluation Report

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile ANSSI-BP-028 (high)
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost
Benchmark URL	#scap_org.open-scap_comp_ssg-rhel8-xccdf-1.2.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.56
Profile ID	xccdf_org.ssgproject.content_profile_anssi_bp28_high
Started at	2021-06-18T12:02:23+01:00
Finished at	2021-06-18T12:05:36+01:00
Performed by	test
Test system	cpe:/a:redhat:openscap:1.3.5

CPE Platforms

cpe:/o:redhat:enterprise_linux:8

Addresses

IPv4 127.0.0.1
IPv4 192.168.122.198
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:5054:ff:fee6:ccee
MAC 00:00:00:00:00:00
MAC 52:54:00:E6:CC:EE

Compliance and Scoring

The target system did not satisfy the conditions of 9 rules! Please review rule results and consider applying remediation.

Rule results

172 passed

9 failed

2 other

Severity of failed rules

0 other

0 low

8 medium

1 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	95.305061	100.000000	95.31%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 9x fail 2x notchecked
System Settings 9x fail 2x notchecked
Installing and Maintaining Software 3x fail 1x notchecked
System and Software Integrity
Software Integrity Checking
Verify Integrity with AIDE
Install AIDE	medium	pass
Build and Test AIDE Database	medium	pass
Configure Periodic Execution of AIDE	medium	pass
Configure Notification of Post-AIDE Scan Details	medium	pass
Configure AIDE to Verify Extended Attributes	low	pass
Configure AIDE to Verify Access Control Lists (ACLs)	low	pass
Sudo 3x fail
Install sudo Package	medium	pass
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot	medium	pass
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC	high	pass
Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout	medium	pass
Don't define allowed commands in sudoers by means of exclusion	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty	medium	pass
Ensure sudo Runs In A Minimal Environment - sudo env_reset	medium	pass
Ensure sudo umask is appropriate - sudo umask	medium	pass
Explicit arguments in sudo specifications	medium	fail
Ensure a dedicated group owns sudo	medium	fail
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate	medium	pass
Don't target root user in the sudoers file	medium	fail
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD	medium	pass
Disk Partitioning
Ensure /var/log/audit Located On Separate Partition	low	pass
Ensure /boot Located On Separate Partition	medium	pass
Ensure /opt Located On Separate Partition	medium	pass
Ensure /tmp Located On Separate Partition	low	pass
Ensure /srv Located On Separate Partition	unknown	pass
Ensure /usr Located On Separate Partition	medium	pass
Ensure /var Located On Separate Partition	low	pass
Ensure /var/tmp Located On Separate Partition	low	pass
Ensure /var/log Located On Separate Partition	medium	pass
Ensure /home Located On Separate Partition	low	pass
Updating Software 1x notchecked
Install dnf-automatic Package	medium	pass
Ensure Red Hat GPG Key Installed	high	pass
Enable dnf-automatic Timer	medium	pass
Ensure Software Patches Installed ()	high	notchecked
Configure dnf-automatic to Install Only Security Updates	low	pass
Ensure gpgcheck Enabled for Local Packages	high	pass
Configure dnf-automatic to Install Available Updates Automatically	medium	pass
Ensure gpgcheck Enabled for All yum Package Repositories	high	pass
Ensure gpgcheck Enabled In Main yum Configuration	high	pass
Prefer to use a 64-bit Operating System when supported	medium	pass
Account and Access Control
Protect Accounts by Configuring PAM
Set Password Hashing Algorithm
Set PAM's Password Hashing Algorithm	medium	pass
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Ensure PAM Enforces Password Requirements - Minimum Special Characters	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Digit Characters	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Length	medium	pass
Set Lockouts for Failed Password Attempts
Set Interval For Counting Failed Password Attempts	medium	pass
Limit Password Reuse	medium	pass
Set Lockout Time for Failed Password Attempts	medium	pass
Set Deny For Failed Password Attempts	medium	pass
Configure the root Account for Failed Password Attempts	medium	pass
Set Up a Private Namespace in PAM Configuration	low	pass
Protect Accounts by Restricting Password-Based Login
Set Password Expiration Parameters
Set Password Minimum Length in login.defs	medium	pass
Set Password Maximum Age	medium	pass
Restrict Root Logins
Direct root Logins Not Allowed	medium	pass
Verify Proper Storage and Existence of Password Hashes
Set number of Password Hashing Rounds - system-auth	medium	pass
Set number of Password Hashing Rounds - password-auth	medium	pass
Secure Session Configuration Files for Login Accounts
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctly	medium	pass
Ensure the Default Umask is Set Correctly in /etc/profile	unknown	pass
Ensure the Default Umask is Set Correctly in login.defs	medium	pass
Configure Polyinstantiation of /tmp Directories	low	pass
Configure Polyinstantiation of /var/tmp Directories	low	pass
Set Interactive Session Timeout	medium	pass
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands - sudo	medium	pass
Network Configuration and Firewalls
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	pass
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	pass
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces	medium	pass
Set Kernel Parameter to Increase Local Port Range	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	pass
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	pass
IPv6
Configure IPv6 Settings if Necessary
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	pass
Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces	unknown	pass
Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default	unknown	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	pass
Configure Denying Router Solicitations on All IPv6 Interfaces By Default	unknown	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	pass
Configure Auto Configuration on All IPv6 Interfaces By Default	unknown	pass
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces	unknown	pass
Configure Auto Configuration on All IPv6 Interfaces	unknown	pass
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default	unknown	pass
Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces	unknown	pass
Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default	unknown	pass
Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default	unknown	pass
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	pass
Configure Denying Router Solicitations on All IPv6 Interfaces	unknown	pass
Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces	unknown	pass
Configure Syslog 2x fail
Ensure All Logs are Rotated by logrotate
Ensure Logrotate Runs Periodically	medium	pass
Rsyslog Logs Sent To Remote Host 2x fail
Ensure Logs Sent To Remote Host	medium	pass
Configure TLS for rsyslog remote logging	medium	fail
Configure CA certificate for rsyslog remote logging	medium	fail
Ensure Proper Configuration of Log Files
Ensure Log Files Are Owned By Appropriate Group	medium	pass
Ensure Log Files Are Owned By Appropriate User	medium	pass
Ensure System Log Files Have Correct Permissions	medium	pass
Ensure rsyslog-gnutls is installed	medium	pass
Ensure rsyslog is Installed	medium	pass
Enable rsyslog Service	medium	pass
File Permissions and Masks 2x fail 1x notchecked
Verify Permissions on Important Files and Directories 1x fail
Verify Permissions on Files with Local Account Information and Credentials
Verify Permissions on gshadow File	medium	pass
Verify Permissions on group File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify User Who Owns gshadow File	medium	pass
Verify User Who Owns shadow File	medium	pass
Verify Permissions on passwd File	medium	pass
Enable Kernel Parameter to Enforce DAC on Symlinks	medium	pass
Ensure All World-Writable Directories Are Owned by root user	medium	fail
Enable Kernel Parameter to Enforce DAC on Hardlinks	medium	pass
Ensure All SGID Executables Are Authorized	medium	pass
Ensure All SUID Executables Are Authorized	medium	pass
Verify that All World-Writable Directories Have Sticky Bits Set	medium	pass
Ensure No World-Writable Files Exist	medium	pass
Restrict Partition Mount Options
Add nosuid Option to /var	unknown	pass
Add noexec Option to /var/tmp	medium	pass
Add noexec Option to /home	medium	pass
Add noexec Option to /var	medium	pass
Add noexec Option to /boot	medium	pass
Add nosuid Option to /var/log	medium	pass
Add nosuid Option to /opt	medium	pass
Add nosuid Option to /boot	medium	pass
Add noexec Option to /var/log	medium	pass
Add noexec Option to /tmp	medium	pass
Add nosuid Option to /tmp	medium	pass
Add nosuid Option to /var/tmp	medium	pass
Add nosuid Option to /home	medium	pass
Add nodev Option to Non-Root Local Partitions	medium	pass
Add nosuid Option to /srv	medium	pass
Restrict Programs from Dangerous Execution Patterns 1x fail 1x notchecked
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems 1x notchecked
Enable NX or XD Support in the BIOS	unknown	notchecked
Install PAE Kernel on Supported 32-bit x86 Systems	unknown	pass
Enable ExecShield
Enable Randomized Layout of Virtual Address Space	medium	pass
Restrict Exposed Kernel Pointer Addresses Access	medium	pass
Enable ExecShield via sysctl	medium	pass
Disable Core Dumps
Disable Core Dumps for SUID programs	medium	pass
Limit CPU consumption of the Perf system	medium	pass
Disable loading and unloading of kernel modules	medium	fail
Restrict Access to Kernel Message Buffer	medium	pass
Disallow magic SysRq key	medium	pass
Configure maximum number of process identifiers	medium	pass
Restrict usage of ptrace to descendant processes	medium	pass
Limit sampling frequency of the Perf system	medium	pass
Disallow kernel profiling by unprivileged users	medium	pass
Prevent applications from mapping low portion of virtual memory	medium	pass
GRUB2 bootloader configuration 1x fail
Non-UEFI GRUB2 bootloader configuration 1x fail
Set Boot Loader Password in grub2	high	fail
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Password	high	notapplicable
IOMMU configuration directive	unknown	pass
SELinux 1x fail
SELinux - Booleans 1x fail
Enable the deny_execmem SELinux Boolean	medium	fail
Disable the secure_mode_insmod SELinux Boolean	medium	pass
Disable the selinuxuser_execheap SELinux Boolean	medium	pass
Disable the polyinstantiation_enabled SELinux Boolean	medium	pass
disable the selinuxuser_execstack SELinux Boolean	medium	pass
Disable the ssh_sysadm_login SELinux Boolean	medium	pass
Uninstall setroubleshoot-plugins Package	low	pass
Uninstall setroubleshoot-server Package	low	pass
Uninstall setroubleshoot Package	low	pass
Configure SELinux Policy	medium	pass
Ensure SELinux State is Enforcing	medium	pass
Services
Mail Server Software
Configure SMTP For Mail Clients
Configure System to Forward All Mail For The Root Account	low	pass
Disable Postfix Network Listening	medium	pass
Uninstall Sendmail Package	medium	pass
SSH Server
Configure OpenSSH Server if Necessary
Disable SSH Root Login	medium	pass
Set SSH Idle Timeout Interval	medium	pass
Set SSH Client Alive Count Max	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Network Time Protocol
The Chrony package is installed	medium	pass
A remote time server for Chrony is configured	medium	pass
Obsolete Services
Rlogin, Rsh, and Rexec
Uninstall rsh-server Package	high	pass
Uninstall rsh Package	unknown	pass
NIS
Remove NIS Client	unknown	pass
Uninstall ypserv Package	high	pass
Telnet
Uninstall telnet-server Package	high	pass
Remove telnet Clients	low	pass
Xinetd
Uninstall xinetd Package	low	pass
Chat/Messaging Services
Uninstall talk-server Package	medium	pass
Uninstall talk Package	medium	pass
TFTP Server
Uninstall tftp-server Package	high	pass
Remove tftp Daemon	low	pass
DHCP
Disable DHCP Server
Uninstall DHCP Server Package	medium	pass

Result Details

Install AIDE

Rule ID	xccdf_org.ssgproject.content_rule_package_aide_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_aide_installed:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80844-4 References: BP28(R51), 1.4.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, RHEL-08-010360, SV-230263r627750_rule
Description	The `aide` package can be installed with the following command: $ sudo yum install aide
Rationale	The AIDE package must be installed if it is to be available for integrity checking.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

Build and Test AIDE Database

Rule ID	xccdf_org.ssgproject.content_rule_aide_build_database
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_build_database:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80675-2 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5
Description	Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file `/var/lib/aide/aide.db.new.gz`. Storing the database, the configuration file `/etc/aide.conf`, and the binary `/usr/sbin/aide` (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate.
Rationale	For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

Testing existence of new aide database file oval:ssg-test_aide_build_new_database_absolute_path:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/var/lib/aide/aide.db.new.gz	regular	0	0	7828689	`rw-------`

Testing existence of operational aide database file oval:ssg-test_aide_operational_database_absolute_path:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/var/lib/aide/aide.db.gz	regular	0	0	7828689	`rw-------`

Configure Periodic Execution of AIDE

Rule ID	xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_periodic_cron_checking:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80676-0 References: BP28(R51), 1.4.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
Description	At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as `@daily` and `@weekly` is acceptable.
Rationale	By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

run aide with cron oval:ssg-test_aide_periodic_cron_checking:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crontab	05 4 * * * root /usr/sbin/aide --check
/etc/crontab	0 5 * * * root /usr/sbin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

run aide with cron oval:ssg-test_aide_crond_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.d	^.*$	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s]root[\s]/usr/sbin/aide[\s]\-\-check.*$	1

run aide with cron oval:ssg-test_aide_var_cron_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s](root)?[\s]/usr/sbin/aide[\s]\-\-check.*$	1

run aide with cron.(daily|weekly) oval:ssg-test_aide_crontabs_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
^/etc/cron.(daily\|weekly)$	^.*$	^\s/usr/sbin/aide[\s]\-\-check.*$	1

Configure Notification of Post-AIDE Scan Details

Rule ID	xccdf_org.ssgproject.content_rule_aide_scan_notification
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_scan_notification:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82891-3 References: BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule
Description	AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in `/etc/crontab`, append the following line to the existing AIDE line: \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to `/etc/crontab`: 05 4 * * * root /usr/sbin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example.
Rationale	Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

notify personnel when aide completes oval:ssg-test_aide_scan_notification:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crontab	0 5 * * * root /usr/sbin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

notify personnel when aide completes oval:ssg-test_aide_var_cron_notification:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^./usr/sbin/aide[\s]\-\-check.\\|./bin/mail[\s]-s[\s]"."[\s].+@.+$	1

notify personnel when aide completes in cron.(daily|weekly|monthly) oval:ssg-test_aide_crontabs_notification:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
^/etc/cron.(d\|daily\|weekly\|monthly)$	^.*$	^./usr/sbin/aide[\s]\-\-check.\\|./bin/mail[\s]-s[\s]"."[\s].+@.+$	1

Configure AIDE to Verify Extended Attributes

Rule ID	xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_verify_ext_attributes:def:1
Time	2021-06-18T12:02:24+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83733-6 References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule
Description	By default, the `xattrs` option is added to the `FIPSR` ruleset in AIDE. If using a custom ruleset or the `xattrs` option is missing, add `xattrs` to the appropriate ruleset. For example, add `xattrs` to the following line in `/etc/aide.conf`: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds `xattrs` to all rule sets available in `/etc/aide.conf`
Rationale	Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

xattrs is set in /etc/aide.conf oval:ssg-test_aide_verify_ext_attributes:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	DIR = p+i+n+u+g+acl+selinux+xattrs
/etc/aide.conf	PERMS = p+u+g+acl+selinux+xattrs
/etc/aide.conf	EVERYTHING = R+ALLXTRAHASHES+xattrs+acl
/etc/aide.conf	NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/aide.conf	LOG = p+u+g+n+S+acl+selinux+xattrs
/etc/aide.conf	CONTENT = sha512+ftype+xattrs+acl
/etc/aide.conf	CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
/etc/aide.conf	DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512

Configure AIDE to Verify Access Control Lists (ACLs)

Rule ID	xccdf_org.ssgproject.content_rule_aide_verify_acls
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_verify_acls:def:1
Time	2021-06-18T12:02:24+01:00
Severity	low
Identifiers and References	Identifiers: CCE-84220-3 References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r627750_rule
Description	By default, the `acl` option is added to the `FIPSR` ruleset in AIDE. If using a custom ruleset or the `acl` option is missing, add `acl` to the appropriate ruleset. For example, add `acl` to the following line in `/etc/aide.conf`: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds `acl` to all rule sets available in `/etc/aide.conf`
Rationale	ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	14.el8	0.16	0:0.16-14.el8	199e2f91fd431d51	aide-0:0.16-14.el8.x86_64

acl is set in /etc/aide.conf oval:ssg-test_aide_verify_acls:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	DIR = p+i+n+u+g+acl+selinux+xattrs
/etc/aide.conf	PERMS = p+u+g+acl+selinux+xattrs
/etc/aide.conf	EVERYTHING = R+ALLXTRAHASHES+xattrs+acl
/etc/aide.conf	NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/aide.conf	LOG = p+u+g+n+S+acl+selinux+xattrs
/etc/aide.conf	CONTENT = sha512+ftype+xattrs+acl
/etc/aide.conf	CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
/etc/aide.conf	DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512

Install sudo Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sudo_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_sudo_installed:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82214-8 References: BP28(R19), 1.3.1, 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125
Description	The `sudo` package can be installed with the following command: $ sudo yum install sudo
Rationale	`sudo` is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

OVAL test results details

package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
sudo	x86_64	(none)	7.el8	1.8.29	0:1.8.29-7.el8	199e2f91fd431d51	sudo-0:1.8.29-7.el8.x86_64

Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_ignore_dot:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83810-2 References: BP28(R58)
Description	The sudo `ignore_dot` tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 8, `env_reset` is enabled by default This should be enabled by making sure that the `ignore_dot` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally.

OVAL test results details

ignore_dot exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_ignore_dot_sudoers:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_ignore_dot_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\|\.d/.*)$	^[\s]Defaults.\bignore_dot\b.*$	1

Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_noexec:def:1
Time	2021-06-18T12:02:24+01:00
Severity	high
Identifiers and References	Identifiers: CCE-83747-6 References: BP28(R58)
Description	The sudo `NOEXEC` tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the `NOEXEC` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise.

OVAL test results details

noexec exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_noexec_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults noexec

Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_passwd_timeout:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83964-7 References: BP28(R58)
Description	The sudo `passwd_timeout` tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 8, the default `passwd_timeout` value is 5 minutes. The passwd_timeout should be configured by making sure that the `passwd_timeout=sub_var_value("var_sudo_passwd_timeout")` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Reducing the time `sudo` waits for a a password reduces the time the process is exposed.

OVAL test results details

passwd_timeout exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_passwd_timeout_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults passwd_timeout=1

Don't define allowed commands in sudoers by means of exclusion

Rule ID	xccdf_org.ssgproject.content_rule_sudoers_no_command_negation
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudoers_no_command_negation:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83518-1 References: BP28(R61)
Description	Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the `sudoers` file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.
Rationale	Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like # To avoid absolutely , this rule can be easily circumvented! user ALL = ALL ,!/ bin/sh prevents the execution of the shell but that’s not the case: just copy the binary `/bin/sh` to a different name to make it executable again through the rule keyword `ALL`.
Warnings	warning This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.

OVAL test results details

Make sure that no command in user spec contains negation oval:ssg-test_sudoers_no_command_negation:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sudoers_no_command_negation:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\.d/.*)?$	^(?:\s[^#=]+)=(?:\s(?:$[^$]+\))?\s(?!\s$)[^,!\n][^,\n]+,)\s(?:\([^$]+\))?\s(?!\s\()(!\S+).*	1

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_use_pty
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_use_pty:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83798-9 References: BP28(R58)
Description	The sudo `use_pty` tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the `use_pty` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.

OVAL test results details

use_pty exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_use_pty_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults use_pty

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_requiretty
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_requiretty:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83790-6 References: BP28(R58)
Description	The sudo `requiretty` tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the `requiretty` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.

OVAL test results details

requiretty exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_requiretty_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults requiretty

Ensure sudo Runs In A Minimal Environment - sudo env_reset

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_env_reset:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83820-1 References: BP28(R58)
Description	The sudo `env_reset` tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Enterprise Linux 8, `env_reset` is enabled by default This should be enabled by making sure that the `env_reset` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.

OVAL test results details

env_reset exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_env_reset_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults env_reset

Ensure sudo umask is appropriate - sudo umask

Rule ID	xccdf_org.ssgproject.content_rule_sudo_add_umask
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_add_umask:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83860-7 References: BP28(R58)
Description	The sudo `umask` tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 8, the default `umask` value is 0022. The umask should be configured by making sure that the `umask=sub_var_value("var_sudo_umask")` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

OVAL test results details

umask exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_umask_sudoers:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults umask=0027

Explicit arguments in sudo specifications

Rule ID	xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudoers_explicit_command_args:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83632-0 References: BP28(R63)
Description	All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
Rationale	Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option: user ALL = dmesg ""
Warnings	warning This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments. warning The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, `root ALL=(ALL) echo 1\,2` allows root to execute `echo 1,2`, but the check would interpret it as two commands `echo 1\` and `2`.

OVAL test results details

Make sure that no command in user spec is without any argument oval:ssg-test_sudoers_explicit_command_args:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

Ensure a dedicated group owns sudo

Rule ID	xccdf_org.ssgproject.content_rule_sudo_dedicated_group
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_dedicated_group:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83982-9 References: BP28(R57)
Description	Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is sudogrp.
Rationale	Restricting the set of users able to execute commands as privileged user reduces the attack surface.
Warnings	warning Changing group owner of `/usr/bin/sudo` to a group with no member users will prevent any and all escalatation of privileges. Additionally, the system may become unmanageable if root logins are not allowed. warning This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group.

OVAL test results details

Check if dedicated group is listed in /etc/group oval:ssg-test_dedicated_group_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-sudo_dedicated_group_gid:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

sudogrp

^sudogrp:x:(\d+):.*$

/etc/group

Check /usr/bin/sudo is owned by group defined in var_sudo_dedicated_group oval:ssg-test_sudo_owned_by_dedicated_group:tst:1 error

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/usr/bin/sudo	regular	0	0	165640	`--s--x--x`

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule ID	xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_remove_no_authenticate:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82202-3 References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r627750_rule, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
Description	The sudo `!authenticate` option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the `!authenticate` option does not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL test results details

!authenticate does not exist in /etc/sudoers oval:ssg-test_no_authenticate_etc_sudoers:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sudoers	^(?!#).[\s]+\!authenticate.$	1

!authenticate does not exist in /etc/sudoers.d oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sudoers.d	^.*$	^(?!#).[\s]+\!authenticate.$	1

Don't target root user in the sudoers file

Rule ID	xccdf_org.ssgproject.content_rule_sudoers_no_root_target
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudoers_no_root_target:def:1
Time	2021-06-18T12:02:25+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83598-3 References: BP28(R60)
Description	The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and `ALL` or `root` should not be used.
Rationale	It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights.
Warnings	warning This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.

OVAL test results details

Make sure that no user spec in sudoers has a runas spec that includes root or ALL oval:ssg-test_no_root_or_ALL_in_runas_spec:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-root_or_ALL_in_runas_spec:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\.d/.*)?$	^\s((?!root\b)[\w]+)\s(\w+)\s=\s(.,)?\s$[\w\s]\b(root\|ALL)\b[\w\s]$	1

make sure that all user specs in sudoers feature a runas spec oval:ssg-test_no_user_spec_rules:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sudoers	Defaults env_keep = "

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule ID	xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_remove_nopasswd:def:1
Time	2021-06-18T12:02:25+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82197-5 References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r627750_rule, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
Description	The sudo `NOPASSWD` tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the `NOPASSWD` tag does not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.
Rationale	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL test results details

NOPASSWD does not exist /etc/sudoers oval:ssg-test_nopasswd_etc_sudoers:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sudoers	^(?!#).[\s]+NOPASSWD[\s]\:.*$	1

NOPASSWD does not exist in /etc/sudoers.d oval:ssg-test_nopasswd_etc_sudoers_d:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sudoers.d	^.*$	^(?!#).[\s]+NOPASSWD[\s]\:.*$	1

Ensure /var/log/audit Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_var_log_audit:def:1
Time	2021-06-18T12:02:25+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80854-3 References: BP28(R43), 1.1.12, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, RHEL-08-010542, SV-230294r627750_rule, SRG-OS-000341-VMM-001220
Description	Audit logs are stored in the `/var/log/audit` directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Rationale	Placing `/var/log/audit` in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

OVAL test results details

/var/log/audit on own partition oval:ssg-testvar_log_audit_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/log/audit	/dev/mapper/rhel-var_log_audit	c283ed62-570e-470f-9887-a451fb69ee7d	xfs	rw	seclabel	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	129704	7555	122149

Ensure /boot Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_boot
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_boot:def:1
Time	2021-06-18T12:02:25+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83336-8 References: BP28(R12)
Description	It is recommended that the `/boot` directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the `noexec` mount option. Eventually, the `/boot` partition can be configured not to be mounted automatically with the `noauto` mount option.
Rationale	The `/boot` partition contains the kernel and bootloader files. Access to this partition should be restricted.

OVAL test results details

/boot on own partition oval:ssg-testboot_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	9bdb2e77-09b5-4440-bb45-2979a88c80fd	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	129704	59981	69723

Ensure /opt Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_opt
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_opt:def:1
Time	2021-06-18T12:02:26+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83340-0 References: BP28(R12)
Description	It is recommended that the `/opt` directory resides on a separate partition.
Rationale	The `/opt` partition contains additional software, usually installed outside the packaging system. Putting this directory on a separate partition makes it easier to apply restrictions e.g. through the `nosuid` mount option.

OVAL test results details

/opt on own partition oval:ssg-testopt_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/opt	/dev/mapper/rhel-opt	77ae06e9-6dd5-4e0a-b037-f3613a9d7b52	xfs	rw	seclabel	nosuid	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10073	249511

Ensure /tmp Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_tmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_tmp:def:1
Time	2021-06-18T12:02:26+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80851-9 References: BP28(R12), 1.1.2, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, SV-230295r627750_rule
Description	The `/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	The `/tmp` partition is used as temporary storage by many programs. Placing `/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL test results details

/tmp on own partition oval:ssg-testtmp_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/tmp	/dev/mapper/rhel-tmp	7046abce-80d6-421c-bff3-99e32bc334a2	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10119	249465

Ensure /srv Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_srv
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_srv:def:1
Time	2021-06-18T12:02:26+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83387-1 References: BP28(R12)
Description	If a file server (FTP, TFTP...) is hosted locally, create a separate partition for `/srv` at installation time (or migrate it later using LVM). If `/srv` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale	Srv deserves files for local network file server such as FTP. Ensuring that `/srv` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL test results details

/srv on own partition oval:ssg-testsrv_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/srv	/dev/mapper/rhel-srv	77751d51-5128-44d4-b904-41179eafa70e	xfs	rw	seclabel	nosuid	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10073	249511

Ensure /usr Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_usr
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_usr:def:1
Time	2021-06-18T12:02:26+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83343-4 References: BP28(R12)
Description	It is recommended that the `/usr` directory resides on a separate partition.
Rationale	The `/usr` partition contains system software, utilities and files. Putting it on a separate partition allows limiting its size and applying restrictions through mount options.

OVAL test results details

/usr on own partition oval:ssg-testusr_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/usr	/dev/mapper/rhel-usr	e1e98a2c-ead1-477e-bdd7-d69f4a5b6e84	xfs	rw	seclabel	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	1277440	1139330	138110

Ensure /var Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_var:def:1
Time	2021-06-18T12:02:27+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80852-7 References: BP28(R12), 1.1.6, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010540, SV-230292r627750_rule, SRG-OS-000341-VMM-001220
Description	The `/var` directory is used by daemons and other system services to store frequently-changing data. Ensure that `/var` has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	Ensuring that `/var` is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the `/var` directory to contain world-writable directories installed by other software packages.

OVAL test results details

/var on own partition oval:ssg-testvar_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var	/dev/mapper/rhel-var	3b9bf26c-12ea-4f64-abc1-3fac0b5d2263	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	783872	64669	719203

Ensure /var/tmp Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var_tmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_var_tmp:def:1
Time	2021-06-18T12:02:27+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82730-3 References: BP28(R12), 1.1.7, SRG-OS-000480-GPOS-00227
Description	The `/var/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	The `/var/tmp` partition is used as temporary storage by many programs. Placing `/var/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL test results details

/var/tmp on own partition oval:ssg-testvar_tmp_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/tmp	/dev/mapper/rhel-var_tmp	5cdb94cd-dc68-4f07-aca4-c8f069f590f1	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10098	249486

Ensure /var/log Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var_log
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_var_log:def:1
Time	2021-06-18T12:02:27+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80853-5 References: BP28(R12), BP28(R47), 1.1.11, 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, SV-230293r627750_rule
Description	System logs are stored in the `/var/log` directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	Placing `/var/log` in its own partition enables better separation between log files and other files in `/var/`.

OVAL test results details

/var/log on own partition oval:ssg-testvar_log_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/log	/dev/mapper/rhel-var_log	54ebd97a-fc48-4ff8-9e66-637df9cbc902	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	12683	246901

Ensure /home Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_home
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_home:def:1
Time	2021-06-18T12:02:28+01:00
Severity	low
Identifiers and References	Identifiers: CCE-81044-0 References: BP28(R12), 1.1.13, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, SV-230328r627750_rule
Description	If user home directories will be stored locally, create a separate partition for `/home` at installation time (or migrate it later using LVM). If `/home` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale	Ensuring that `/home` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL test results details

/home on own partition oval:ssg-testhome_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	249c85b7-b274-4df5-8ef4-8790ff211f6a	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	13526	246058

Install dnf-automatic Package

Rule ID	xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_dnf-automatic_installed:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82985-3 References: BP28(R8), SRG-OS-000191-GPOS-00080
Description	The `dnf-automatic` package can be installed with the following command: $ sudo yum install dnf-automatic
Rationale	`dnf-automatic` is an alternative command line interface (CLI) to `dnf upgrade` suitable for automatic, regular execution.

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
dnf-automatic	noarch	(none)	11.el8	4.4.2	0:4.4.2-11.el8	199e2f91fd431d51	dnf-automatic-0:4.4.2-11.el8.noarch

Ensure Red Hat GPG Key Installed

Rule ID	xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_redhat_gpgkey_installed:def:1
Time	2021-06-18T12:02:28+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80795-8 References: BP28(R15), 1.2.3, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in `/media/cdrom`, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Rationale	Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL test results details

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	0.6.el8	8.5	0:8.5-0.6.el8	199e2f91fd431d51	redhat-release-0:8.5-0.6.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	0.6.el8	8.5	0:8.5-0.6.el8	199e2f91fd431d51	redhat-release-0:8.5-0.6.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	0.6.el8	8.5	0:8.5-0.6.el8	199e2f91fd431d51	redhat-release-0:8.5-0.6.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	0.6.el8	8.5	0:8.5-0.6.el8	199e2f91fd431d51	redhat-release-0:8.5-0.6.el8.x86_64

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

Red Hat release key package is installed oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Red Hat auxiliary key package is installed oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^ID="(\w+)"$	1

Check os-release ID oval:ssg-test_centos8_name:tst:1 false

Following items have been found on the system:

Path	Content
/etc/os-release	ID="rhel"

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^ID="(\w+)"$	1

Check os-release ID oval:ssg-test_centos8_name:tst:1 false

Following items have been found on the system:

Path	Content
/etc/os-release	ID="rhel"

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^VERSION_ID="(\d)"$	1

CentOS8 key package is installed oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	0	gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	0	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Enable dnf-automatic Timer

Rule ID	xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-timer_dnf-automatic_enabled:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82360-9 References: BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080
Description	The `dnf-automatic` timer can be enabled with the following command: $ sudo systemctl enable dnf-automatic.timer
Rationale	The `dnf-automatic` is an alternative command line interface (CLI) to `dnf upgrade` with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by `dnf-automatic.timer` SystemD timer.

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
dnf-automatic	noarch	(none)	11.el8	4.4.2	0:4.4.2-11.el8	199e2f91fd431d51	dnf-automatic-0:4.4.2-11.el8.noarch

Test that the dnf-automatic timer is running oval:ssg-test_timer_running_dnf-automatic:tst:1 true

Following items have been found on the system:

Unit	Property	Value
dnf-automatic.timer	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_dnf-automatic:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	var-tmp.mount	var.mount	sysinit.target	plymouth-read-write.service	lvm2-monitor.service	cryptsetup.target	systemd-hwdb-update.service	sys-kernel-debug.mount	local-fs.target	-.mount	srv.mount	opt.mount	home.mount	var-log.mount	tmp.mount	var-log-audit.mount	usr.mount	boot.mount	systemd-remount-fs.service	ostree-remount.service	lvm2-lvmpolld.socket	systemd-journal-flush.service	nis-domainname.service	iscsi-onboot.service	ldconfig.service	systemd-udevd.service	systemd-journal-catalog-update.service	systemd-update-utmp.service	systemd-random-seed.service	plymouth-start.service	dev-mqueue.mount	systemd-tmpfiles-setup.service	systemd-update-done.service	systemd-sysctl.service	systemd-modules-load.service	proc-sys-fs-binfmt_misc.automount	systemd-binfmt.service	selinux-autorelabel-mark.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	dev-hugepages.mount	systemd-udev-trigger.service	systemd-machine-id-commit.service	systemd-sysusers.service	import-state.service	systemd-firstboot.service	sys-kernel-config.mount	loadmodules.service	swap.target	dev-mapper-rhel\x2dswap.swap	kmod-static-nodes.service	multipathd.service	systemd-tmpfiles-setup-dev.service	systemd-journald.service	dracut-shutdown.service	paths.target	timers.target	dnf-makecache.timer	dnf-automatic.timer	mlocate-updatedb.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	sockets.target	systemd-journald.socket	avahi-daemon.socket	systemd-journald-dev-log.socket	dm-event.socket	libvirtd-ro.socket	dbus.socket	libvirtd.socket	virtlogd.socket	virtlockd.socket	systemd-coredump.socket	iscsiuio.socket	systemd-udevd-kernel.socket	multipathd.socket	systemd-initctl.socket	iscsid.socket	cups.socket	systemd-udevd-control.socket	rpcbind.socket	sssd-kcm.socket	microcode.service	mdmonitor.service	smartd.service	sssd.service	plymouth-quit-wait.service	auditd.service	nfs-client.target	auth-rpcgss-module.service	rpc-statd-notify.service	remote-fs-pre.target	getty.target	getty@tty1.service	vdo.service	plymouth-quit.service	mcelog.service	systemd-ask-password-wall.path	ksm.service	tuned.service	rpcbind.service	rsyslog.service	ModemManager.service	chronyd.service	systemd-logind.service	systemd-update-utmp-runlevel.service	crond.service	NetworkManager.service	libstoragemgmt.service	vmtoolsd.service	sshd.service	ksmtuned.service	firewalld.service	irqbalance.service	cups.service	systemd-user-sessions.service	rhsmcertd.service	avahi-daemon.service	dbus.service	kdump.service	libvirtd.service	cups.path	remote-fs.target	iscsi.service	var-lib-machines.mount	atd.service

Ensure Software Patches Installed

Rule ID	xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result	notchecked
Multi-check rule	yes
OVAL Definition ID
Time	2021-06-18T12:02:28+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80865-9 References: BP28(R08), 1.9, 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, RHEL-08-010010, SV-230222r627750_rule, SRG-OS-000480-VMM-002000
Description	If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using `rpm`. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Evaluation messages info None of the check-content-ref elements was resolvable.

Configure dnf-automatic to Install Only Security Updates

Rule ID	xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dnf-automatic_security_updates_only:def:1
Time	2021-06-18T12:02:28+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82267-6 References: BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080
Description	To configure `dnf-automatic` to install only security updates automatically, set `upgrade_type` to `security` under `[commands]` section in `/etc/dnf/automatic.conf`.
Rationale	By default, `dnf-automatic` installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.

OVAL test results details

tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_security_updates_only:tst:1 true

Following items have been found on the system:

Path	Content
/etc/dnf/automatic.conf	[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = security

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/dnf/automatic.conf	regular	0	0	2719	`rw-r--r--`

Ensure gpgcheck Enabled for Local Packages

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_local_packages:def:1
Time	2021-06-18T12:02:28+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80791-7 References: BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r627750_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	`yum` should be configured to verify the signature(s) of local packages prior to installation. To configure `yum` to verify signatures of local packages, set the `localpkg_gpgcheck` to `1` in `/etc/yum.conf`.
Rationale	Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

OVAL test results details

check value of localpkg_gpgcheck in /etc/yum.conf oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1 true

Following items have been found on the system:

Path	Content
/etc/yum.conf	localpkg_gpgcheck = 1

Configure dnf-automatic to Install Available Updates Automatically

Rule ID	xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dnf-automatic_apply_updates:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82494-6 References: BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080
Description	To ensure that the packages comprising the available updates will be automatically installed by `dnf-automatic`, set `apply_updates` to `yes` under `[commands]` section in `/etc/dnf/automatic.conf`.
Rationale	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.

OVAL test results details

tests the value of apply_updates setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_apply_updates:tst:1 true

Following items have been found on the system:

Path	Content
/etc/dnf/automatic.conf	[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = security random_sleep = 0 # Maximum time in seconds to wait until the system is on-line and able to # connect to remote repositories. network_online_timeout = 60 # To just receive updates use dnf-automatic-notifyonly.timer # Whether updates should be downloaded when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. download_updates = yes # Whether updates should be applied when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. apply_updates = yes

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/dnf/automatic.conf	regular	0	0	2719	`rw-r--r--`

Ensure gpgcheck Enabled for All yum Package Repositories

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_never_disabled:def:1
Time	2021-06-18T12:02:28+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80792-5 References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	To ensure signature checking is not disabled for any repos, remove any lines from files in `/etc/yum.repos.d` of the form: gpgcheck=0
Rationale	Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/yum.repos.d	.*	^\sgpgcheck\s=\s0\s$	1

Ensure gpgcheck Enabled In Main yum Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_globally_activated:def:1
Time	2021-06-18T12:02:28+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80790-9 References: BP28(R15), 1.2.4, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r627750_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in `/etc/yum.conf` in the `[main]` section: gpgcheck=1
Rationale	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL test results details

check value of gpgcheck in /etc/yum.conf oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1 true

Following items have been found on the system:

Path	Content
/etc/yum.conf	gpgcheck=1

Prefer to use a 64-bit Operating System when supported

Rule ID	xccdf_org.ssgproject.content_rule_prefer_64bit_os
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-prefer_64bit_os:def:1
Time	2021-06-18T12:02:24+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83694-0 References: BP28(R10)
Description	Prefer installation of 64-bit operating systems when the CPU supports it.
Rationale	Use of a 64-bit operating system offers a few advantages, like a larger address space range for Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.
Warnings	warning There is no remediation besides installing a 64-bit operating system.

OVAL test results details

Check if kernel nvr arch is 64-bit oval:ssg-test_proc_sys_kernel_osrelease_64_bit:tst:1 true

Following items have been found on the system:

Path	Content
/proc/sys/kernel/osrelease	4.18.0-314.el8.x86_64

Check for CPU flag lm oval:ssg-test_proc_cpuinfo_64_bit:tst:1 true

Following items have been found on the system:

Path	Content
/proc/cpuinfo	flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities

Set PAM's Password Hashing Algorithm

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80893-1 References: BP28(R32), 5.4.4, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, RHEL-08-010160, SV-230237r627750_rule, SRG-OS-000480-VMM-002000
Description	The PAM system service can be configured to only store encrypted representations of passwords. In `/etc/pam.d/system-auth`, the `password` section of the file controls which PAM modules execute during a password change. Set the `pam_unix.so` module in the `password` section to include the argument `sha512`, as shown below: password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL test results details

check /etc/pam.d/system-auth for correct settings oval:ssg-test_pam_unix_sha512:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_ocredit:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80663-8 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000266-GPOS-00101, RHEL-08-020280, SV-230375r627750_rule, SRG-OS-000266-VMM-000940
Description	The pam_pwquality module's `ocredit=` parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the `ocredit` setting in `/etc/security/pwquality.conf` to equal -1 to require use of a special character in passwords.
Rationale	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ocredit:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/pwquality.conf	ocredit = -1

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_lcredit:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80655-4 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, RHEL-08-020120, SV-230358r627750_rule, SRG-OS-000070-VMM-000370
Description	The pam_pwquality module's `lcredit` parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the `lcredit` setting in `/etc/security/pwquality.conf` to require the use of a lowercase character in passwords.
Rationale	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_lcredit:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/pwquality.conf	lcredit = -1

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_dcredit:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80653-9 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, RHEL-08-020130, SV-230359r627750_rule, SRG-OS-000071-VMM-000380
Description	The pam_pwquality module's `dcredit` parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the `dcredit` setting in `/etc/security/pwquality.conf` to require the use of a digit in passwords.
Rationale	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_dcredit:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/pwquality.conf	dcredit = -1

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_ucredit:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80665-3 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, RHEL-08-020110, SV-230357r627750_rule, SRG-OS-000069-VMM-000360
Description	The pam_pwquality module's `ucredit=` parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the `ucredit` setting in `/etc/security/pwquality.conf` to require the use of an uppercase character in passwords.
Rationale	Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ucredit:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/pwquality.conf	ucredit = -1

Ensure PAM Enforces Password Requirements - Minimum Length

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_minlen:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80656-2 References: BP28(R18), 5.4.1, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, RHEL-08-020230, SV-230369r627750_rule, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450
Description	The pam_pwquality module's `minlen` parameter controls requirements for minimum characters required in a password. Add `minlen=18` after pam_pwquality to set minimum password length requirements.
Rationale	The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minlen:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/pwquality.conf	minlen = 18

Set Interval For Counting Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_passwords_pam_faillock_interval:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80669-5 References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020012, SV-230334r627750_rule, SRG-OS-000021-VMM-000050
Description	Utilizing `pam_faillock.so`, the `fail_interval` directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: Add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so
Rationale	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL test results details

check maximum preauth fail_interval allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root

check maximum authfail fail_interval allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root

check maximum authfail fail_interval allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root

check maximum preauth fail_interval allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root

check if pam_faillock.so is required in account section in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	account required pam_faillock.so

check if pam_faillock.so is required in account section in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	account required pam_faillock.so

Limit Password Reuse

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_unix_remember:def:1
Time	2021-06-18T12:02:28+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80666-1 References: BP28(R18), 5.4.3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-08-020220, SV-230368r627750_rule, SRG-OS-000077-VMM-000440
Description	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_unix` or `pam_pwhistory` PAM modules. In the file `/etc/pam.d/system-auth`, append `remember=2` to the line which refers to the `pam_unix.so` or `pam_pwhistory.so`module, as shown below: for the `pam_unix.so` case: password sufficient pam_unix.so ...existing_options... remember=2 for the `pam_pwhistory.so` case: password requisite pam_pwhistory.so ...existing_options... remember=2 The DoD STIG requirement is 5 passwords.
Rationale	Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

OVAL test results details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_unix_remember:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:requisite)\|(?:required))\s+pam_pwhistory\.so.remember=([0-9]).$	1

Set Lockout Time for Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80670-3 References: BP28(R18), 5.4.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020014, SV-230336r627750_rule, SRG-OS-000329-VMM-001180
Description	To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using `pam_faillock.so`, modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so If `unlock_time` is set to `0`, manual intervention by an administrator is required to unlock a user.
Rationale	Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

OVAL test results details

Check if external variable unlock time is never oval:ssg-test_var_faillock_unlock_time_is_never:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1	900

Check if unlock time is never oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root

Check if external variable unlock time is never oval:ssg-test_var_faillock_unlock_time_is_never:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1	900

Check if unlock time is never, or greater than or equal external variable oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root

Set Deny For Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_passwords_pam_faillock_deny:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80667-9 References: BP28(R18), 5.4.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020010, SV-230332r627750_rule, SRG-OS-000021-VMM-000050
Description	To configure the system to lock out accounts after a number of incorrect login attempts using `pam_faillock.so`, modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: add the following line immediately `before` the `pam_unix.so` statement in the `AUTH` section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 add the following line immediately `after` the `pam_unix.so` statement in the `AUTH` section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 add the following line immediately `before` the `pam_unix.so` statement in the `ACCOUNT` section: account required pam_faillock.so
Rationale	Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

OVAL test results details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass

Check if pam_faillock.so is called in account phase before pam_unix oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	account required pam_faillock.so account required pam_unix.so

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass

Check if pam_faillock_so is called in account phase before pam_unix. oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	account required pam_faillock.so account required pam_unix.so

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/system-auth	1

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/password-auth	1

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3

Configure the root Account for Failed Password Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80668-7 References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020022, SV-230344r646874_rule
Description	To configure the system to lock out the `root` account after a number of incorrect login attempts using `pam_faillock.so`, modify the content of both `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth` as follows: Modify the following line in the `AUTH` section to add `even_deny_root`: auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=900 fail_interval=900 Modify the following line in the `AUTH` section to add `even_deny_root`: auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=900 fail_interval=900
Rationale	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL test results details

Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail) oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail) oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root

Set Up a Private Namespace in PAM Configuration

Rule ID	xccdf_org.ssgproject.content_rule_enable_pam_namespace
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-enable_pam_namespace:def:1
Time	2021-06-18T12:02:28+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83744-3 References: BP28(R39)
Description	To setup a private namespace add the following line to `/etc/pam.d/login`: session required pam_namespace.so
Rationale	The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account.

OVAL test results details

tests the presence of pam_namespace.so module in the /etc/pam.d/login file oval:ssg-test_enable_pam_namespace:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/login	session required pam_namespace.so

Set Password Minimum Length in login.defs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_minlen_login_defs:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80652-1 References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000078-GPOS-00046, RHEL-08-020231, SV-230370r627750_rule
Description	To specify password length requirements for new accounts, edit the file `/etc/login.defs` and add or correct the following line: PASS_MIN_LEN 18 The DoD requirement is `15`. The FISMA requirement is `12`. The profile requirement is `18`. If a program consults `/etc/login.defs` and also another PAM module (such as `pam_pwquality`) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.
Rationale	Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

OVAL test results details

The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_len:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_min_len_instance_value:var:1	18

Set Password Maximum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_maximum_age_login_defs:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80647-1 References: BP28(R18), 5.5.1.1, 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-08-020200, SV-230366r646878_rule
Description	To specify password maximum age for new accounts, edit the file `/etc/login.defs` and add or correct the following line: PASS_MAX_DAYS 90 A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is `90`.
Rationale	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

OVAL test results details

The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_max_days:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_max_days_instance_value:var:1	90

Direct root Logins Not Allowed

Rule ID	xccdf_org.ssgproject.content_rule_no_direct_root_logins
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_direct_root_logins:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80840-2 References: BP28(R19), 5.6, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7
Description	To further limit access to the `root` account, administrators can disable root logins at the console by editing the `/etc/securetty` file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux 8's `/etc/securetty` file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty
Rationale	Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.

OVAL test results details

no entries in /etc/securetty oval:ssg-test_no_direct_root_logins:tst:1 true

Following items have been found on the system:

Path	Content
/etc/securetty

/etc/securetty file exists oval:ssg-test_etc_securetty_exists:tst:1 true

Following items have been found on the system:

Path	Content
/etc/securetty

Set number of Password Hashing Rounds - system-auth

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_unix_rounds_system_auth:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83386-3 References: BP28(R32), CCI-000196, SRG-OS-000073-GPOS-00041, RHEL-08-010130, SV-230233r627750_rule
Description	Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the `rounds` option for the `pam_unix` PAM module. In file `/etc/pam.d/system-auth` append `rounds=65536` to the `pam_unix.so` file, as shown below: password sufficient pam_unix.so ...existing_options... rounds=65536 The system's default number of rounds is 5000.
Rationale	Using a higher number of rounds makes password cracking attacks more difficult.
Warnings	warning Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.

OVAL test results details

Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth oval:ssg-test_system_auth_pam_unix_rounds_is_set:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/system-auth oval:ssg-test_system_auth_pam_unix_rounds_is_default:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Check if value of var_password_pam_unix_rounds is the system's default oval:ssg-test_system_auth_default_pam_unix_rounds_var:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_password_pam_unix_rounds:var:1	65536

Set number of Password Hashing Rounds - password-auth

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_unix_rounds_password_auth:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83403-6 References: BP28(R32), CCI-000196, SRG-OS-000073-GPOS-00041, RHEL-08-010130, SV-230233r627750_rule
Description	Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the `rounds` option for the `pam_unix` PAM module. In file `/etc/pam.d/password-auth` append `rounds=65536` to the `pam_unix.so` file, as shown below: password sufficient pam_unix.so ...existing_options... rounds=65536 The system's default number of rounds is 5000.
Rationale	Using a higher number of rounds makes password cracking attacks more difficult.
Warnings	warning Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.

OVAL test results details

Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth oval:ssg-test_password_auth_pam_unix_rounds_is_set:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/password-auth oval:ssg-test_password_auth_pam_unix_rounds_is_default:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536

Check if value of var_password_pam_unix_rounds is the system's default oval:ssg-test_password_auth_default_pam_unix_rounds_var:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_password_pam_unix_rounds:var:1	65536

Ensure the Default Bash Umask is Set Correctly

Rule ID	xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_umask_etc_bashrc:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81036-6 References: BP28(R35), 5.5.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, SV-230385r627750_rule
Description	To ensure the default umask for users of the Bash shell is set properly, add or correct the `umask` setting in `/etc/bashrc` to read as follows: umask 077
Rationale	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	63

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 true

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_bashrc_umask_as_number:var:1	63	63	63	63	63	63	63	63

Ensure the Default Umask is Set Correctly in /etc/profile

Rule ID	xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_umask_etc_profile:def:1
Time	2021-06-18T12:02:29+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-81035-8 References: BP28(R35), 5.5.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228
Description	To ensure the default umask controlled by `/etc/profile` is set properly, add or correct the `umask` setting in `/etc/profile` to read as follows: umask 077
Rationale	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	63

Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 true

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_profile_umask_as_number:var:1	63	63	63	63	63	63	63	63

Ensure the Default Umask is Set Correctly in login.defs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_umask_etc_login_defs:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82888-9 References: BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020351, SV-230383r627750_rule
Description	To ensure the default umask controlled by `/etc/login.defs` is set properly, add or correct the `UMASK` setting in `/etc/login.defs` to read as follows: UMASK 077
Rationale	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	63

Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_login_defs:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_etc_login_defs_umask_as_number:var:1	63

Configure Polyinstantiation of /tmp Directories

Rule ID	xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_polyinstantiated_tmp:def:1
Time	2021-06-18T12:02:29+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83732-8 References: BP28(R39)
Description	To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: $ sudo mkdir --mode 000 /tmp/tmp-inst Then, add the following entry to `/etc/security/namespace.conf`: /tmp /tmp/tmp-inst/ level root,adm
Rationale	Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /tmp directories being world-writable.

OVAL test results details

Check that /tmp/tmp-inst exists and has mode 000 oval:ssg-test_tmp_inst:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/tmp/tmp-inst/	directory	0	0	57	`---------`

Check configuration of /tmp in /etc/security/namespace.conf file oval:ssg-test_tmp_in_namespace_conf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/namespace.conf	/tmp /tmp/tmp-inst/ level root,adm

Configure Polyinstantiation of /var/tmp Directories

Rule ID	xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_polyinstantiated_var_tmp:def:1
Time	2021-06-18T12:02:29+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83778-1 References: BP28(R39)
Description	To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: $ sudo mkdir --mode 000 /var/tmp/tmp-inst Then, add the following entry to `/etc/security/namespace.conf`: /var/tmp /var/tmp/tmp-inst/ level root,adm
Rationale	Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /var/tmp directories being world-writable.

OVAL test results details

Check that /tmp-inst exists and has mode 000 oval:ssg-test_var_tmp_tmp_inst:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/var/tmp/tmp-inst/	directory	0	0	57	`---------`

Check configuration of /tmp in /etc/security/namespace.conf file oval:ssg-test_var_tmp_in_namespace_conf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/security/namespace.conf	/var/tmp /var/tmp/tmp-inst/ level root,adm

Set Interactive Session Timeout

Rule ID	xccdf_org.ssgproject.content_rule_accounts_tmout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_tmout:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80673-7 References: BP28(R29), 5.5.3, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010
Description	Setting the `TMOUT` option in `/etc/profile` ensures that all user sessions will terminate based on inactivity. The `TMOUT` setting in a file loaded by `/etc/profile`, e.g. `/etc/profile.d/tmout.sh` should read as follows: TMOUT=600
Rationale	Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

OVAL test results details

TMOUT in /etc/profile oval:ssg-test_etc_profile_tmout:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/profile	^[\s]TMOUT=([\w$]+).$	1

TMOUT in /etc/profile.d/*.sh oval:ssg-test_etc_profiled_tmout:tst:1 true

Following items have been found on the system:

Path	Content
/etc/profile.d/tmout.sh	TMOUT=600

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_sudo:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80737-0 References: BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL test results details

audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/auditd.service	ExecStartPost=-/sbin/augenrules --load

audit augenrules sudo oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/usr/lib/systemd/system/auditd.service	^ExecStartPost=\-\/sbin\/auditctl.*$	1

audit auditctl sudo oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81017-6 References: BP28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.default.secure_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.secure_redirects = 0
Rationale	Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv4.conf.default.secure_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.secure_redirects = 0

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.secure_redirects = 0

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.secure_redirects	0

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time	2021-06-18T12:02:29+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80917-8 References: BP28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, SV-230544r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_redirects	0

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80920-2 References: BP28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040250, SV-230539r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_source_route	0

Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80923-6 References: BP28(R22), 3.2.8, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001095, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
Description	To set the runtime status of the `net.ipv4.tcp_syncookies` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.tcp_syncookies = 1
Rationale	A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

OVAL test results details

net.ipv4.tcp_syncookies static configuration oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.tcp_syncookies	1

Set Kernel Parameter to Increase Local Port Range

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_ip_local_port_range:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-84277-3 References: BP28(R22)
Description	To set the runtime status of the `net.ipv4.ip_local_port_range` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.ip_local_port_range = 32768 65535
Rationale	This setting defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number.

OVAL test results details

net.ipv4.ip_local_port_range static configuration oval:ssg-test_static_sysctl_net_ipv4_ip_local_port_range:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv4.ip_local_port_range = 32768 65535

net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_ip_local_port_range:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv4.ip_local_port_range = 32768 65535

net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_ip_local_port_range:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_ip_local_port_range:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_local_port_range[\s]=[\s]32768\s65535[\s]*$	1

net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_local_port_range[\s]=[\s]32768\s65535[\s]*$	1

kernel runtime parameter net.ipv4.ip_local_port_range set to 32768 65535 oval:ssg-test_sysctl_runtime_net_ipv4_ip_local_port_range:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.ip_local_port_range	32768 65535

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80919-4 References: BP28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040210, SV-230535r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_redirects	0

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1
Time	2021-06-18T12:02:30+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-81018-4 References: BP28(R22), 3.2.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.log_martians` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.log_martians = 1
Rationale	The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

OVAL test results details

net.ipv4.conf.all.log_martians static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.log_martians	1

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1
Time	2021-06-18T12:02:30+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-81023-4 References: BP28(R22), 3.2.6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.icmp_ignore_bogus_error_responses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale	Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

OVAL test results details

net.ipv4.icmp_ignore_bogus_error_responses static configuration oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.icmp_ignore_bogus_error_responses	1

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81022-6 References: BP28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.default.rp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.rp_filter = 1
Rationale	Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

OVAL test results details

net.ipv4.conf.default.rp_filter static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.rp_filter	1

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81016-8 References: BP28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.secure_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.secure_redirects = 0
Rationale	Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv4.conf.all.secure_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.secure_redirects	0

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81011-9 References: BP28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, SV-230538r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	# Do not accept source routing net.ipv4.conf.all.accept_source_route = 0

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_source_route	0

Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_tcp_rfc1337:def:1
Time	2021-06-18T12:02:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-84270-8 References: BP28(R22)
Description	To set the runtime status of the `net.ipv4.tcp_rfc1337` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.tcp_rfc1337 = 1
Rationale	Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is received in TIME_WAIT state, we close the socket immediately without waiting for the end of the TIME_WAIT period.

OVAL test results details

net.ipv4.tcp_rfc1337 static configuration oval:ssg-test_static_sysctl_net_ipv4_tcp_rfc1337:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf net.ipv4.tcp_rfc1337 = 1

net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_rfc1337:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf net.ipv4.tcp_rfc1337 = 1

net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_tcp_rfc1337:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_tcp_rfc1337:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_rfc1337[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_rfc1337[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.tcp_rfc1337 set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_tcp_rfc1337:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.tcp_rfc1337	1

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
Time	2021-06-18T12:02:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81021-8 References: BP28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040285, SV-230549r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.all.rp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.rp_filter = 1
Rationale	Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

OVAL test results details

net.ipv4.conf.all.rp_filter static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	# Source route verification net.ipv4.conf.all.rp_filter = 1

kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.rp_filter	1

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time	2021-06-18T12:02:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80921-0 References: BP28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, SV-230543r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.default.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL test results details

net.ipv4.conf.default.send_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.send_redirects	0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time	2021-06-18T12:02:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80918-6 References: BP28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, SV-230536r627750_rule
Description	To set the runtime status of the `net.ipv4.conf.all.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL test results details

net.ipv4.conf.all.send_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.send_redirects	0

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_ip_forward:def:1
Time	2021-06-18T12:02:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81024-2 References: BP28(R22), 3.1.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040260, SV-230540r627750_rule
Description	To set the runtime status of the `net.ipv4.ip_forward` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.ip_forward = 0
Rationale	Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
Warnings	warning Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.

OVAL test results details

net.ipv4.ip_forward static configuration oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv4.ip_forward = 0

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv4.ip_forward = 0

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.ip_forward set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.ip_forward	0

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time	2021-06-18T12:02:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81010-1 References: BP28(R22), 3.2.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, SV-230535r627750_rule
Description	To set the runtime status of the `net.ipv6.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_redirects	0

Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:def:1
Time	2021-06-18T12:02:31+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84288-0 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.accept_ra_rtr_pref` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_rtr_pref = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_ra_rtr_pref static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_rtr_pref = 0

net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_rtr_pref = 0

net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_rtr_pref[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_rtr_pref[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_ra_rtr_pref set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_ra_rtr_pref	0

Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_max_addresses:def:1
Time	2021-06-18T12:02:31+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84257-5 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.max_addresses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.max_addresses = 1
Rationale	The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.max_addresses static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_max_addresses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.default.max_addresses = 1

net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_max_addresses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.default.max_addresses = 1

net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_max_addresses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_max_addresses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.max_addresses[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.max_addresses[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.max_addresses set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_max_addresses:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.max_addresses	1

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time	2021-06-18T12:02:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81015-0 References: BP28(R22), 3.2.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040250, SV-230539r627750_rule
Description	To set the runtime status of the `net.ipv6.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_source_route	0

Configure Denying Router Solicitations on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_router_solicitations:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83477-0 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.router_solicitations` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.router_solicitations = 0
Rationale	To prevent discovery of the system by other systems, router solicitation requests should be denied.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.router_solicitations static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_router_solicitations:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.default.router_solicitations = 0

net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_router_solicitations:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.default.router_solicitations = 0

net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_router_solicitations:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_router_solicitations:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.router_solicitations[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.router_solicitations[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.router_solicitations set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_router_solicitations:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.router_solicitations	0

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time	2021-06-18T12:02:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81013-5 References: BP28(R22), 3.2.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, SV-230538r627750_rule
Description	To set the runtime status of the `net.ipv6.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_source_route	0

Configure Auto Configuration on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_autoconf:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84264-1 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.autoconf` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.autoconf = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.autoconf static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_autoconf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.default.autoconf = 0

net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_autoconf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.default.autoconf = 0

net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_autoconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_autoconf:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.autoconf[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.autoconf[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.autoconf set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_autoconf:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.autoconf	0

Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84280-7 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.accept_ra_pinfo` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_pinfo = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_ra_pinfo static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_pinfo = 0

net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_pinfo = 0

net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_pinfo[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_pinfo[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_ra_pinfo set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_ra_pinfo	0

Configure Auto Configuration on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_autoconf:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84266-6 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.autoconf` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.autoconf = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.autoconf static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_autoconf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.all.autoconf = 0

net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_autoconf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.all.autoconf = 0

net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_autoconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_autoconf:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.autoconf[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.autoconf[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.autoconf set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_autoconf:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.autoconf	0

Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84268-2 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.accept_ra_defrtr` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_defrtr = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_ra_defrtr static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_defrtr = 0

net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_defrtr = 0

net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_defrtr[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_defrtr[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_ra_defrtr set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_ra_defrtr	0

Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_max_addresses:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84259-1 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.max_addresses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.max_addresses = 1
Rationale	The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.max_addresses static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_max_addresses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.all.max_addresses = 1

net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_max_addresses:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.all.max_addresses = 1

net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_max_addresses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_max_addresses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.max_addresses[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.max_addresses[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.max_addresses set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_max_addresses:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.max_addresses	1

Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84051-2 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.accept_ra_pinfo` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_pinfo = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_ra_pinfo static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_pinfo = 0

net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_pinfo = 0

net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_pinfo[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_pinfo[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_ra_pinfo set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_pinfo:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_ra_pinfo	0

Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84291-4 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.default.accept_ra_rtr_pref` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_rtr_pref = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_ra_rtr_pref static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_rtr_pref = 0

net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_rtr_pref = 0

net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_rtr_pref[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra_rtr_pref[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_ra_rtr_pref	0

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time	2021-06-18T12:02:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81009-3 References: BP28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, SV-230544r627750_rule
Description	To set the runtime status of the `net.ipv6.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_redirects	0

Configure Denying Router Solicitations on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_router_solicitations:def:1
Time	2021-06-18T12:02:32+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84109-8 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.router_solicitations` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.router_solicitations = 0
Rationale	To prevent discovery of the system by other systems, router solicitation requests should be denied.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.router_solicitations static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_router_solicitations:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.all.router_solicitations = 0

net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_router_solicitations:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.all.router_solicitations = 0

net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_router_solicitations:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_router_solicitations:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.router_solicitations[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.router_solicitations[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.router_solicitations set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_router_solicitations:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.router_solicitations	0

Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr:def:1
Time	2021-06-18T12:02:33+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-84272-4 References: BP28(R22)
Description	To set the runtime status of the `net.ipv6.conf.all.accept_ra_defrtr` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_defrtr = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_ra_defrtr static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	# Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_defrtr = 0

net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	# Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_defrtr = 0

net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_defrtr[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra_defrtr[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_ra_defrtr set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_defrtr:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_ra_defrtr	0

Ensure Logrotate Runs Periodically

Rule ID	xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_logrotate_activated:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80794-1 References: BP28(R43), NT12(R18), 4.3, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
Description	The `logrotate` utility allows for the automatic rotation of log files. The frequency of rotation is specified in `/etc/logrotate.conf`, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in `/etc/logrotate.conf`: # rotate log files frequency daily
Rationale	Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

OVAL test results details

Tests the presence of daily setting in /etc/logrotate.conf file oval:ssg-test_logrotate_conf_daily_setting:tst:1 true

Following items have been found on the system:

Path	Content
/etc/logrotate.conf	daily

Test if there is no weekly/monthly/yearly keyword oval:ssg-test_logrotate_conf_no_other_keyword:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_logrotate_conf_no_other_keyword:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/logrotate.conf	^\s(weekly\|monthly\|yearly)[\s#]$	1

Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility) oval:ssg-test_cron_daily_logrotate_existence:tst:1 true

Following items have been found on the system:

Path	Content
/etc/cron.daily/logrotate	/usr/sbin/logrotate /etc/logrotate.conf

Ensure Logs Sent To Remote Host

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_remote_loghost:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80863-4 References: BP28(R7), NT28(R43), NT12(R5), 4.2.1.5, 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, RHEL-08-030690, SV-230479r627750_rule, SRG-OS-000032-VMM-000130
Description	To configure rsyslog to send logs to a remote log server, open `/etc/rsyslog.conf` and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting `logcollector` appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: . @logcollector To use TCP for log message delivery: . @@logcollector To use RELP for log message delivery: . :omrelp:logcollector There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.
Rationale	A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

OVAL test results details

Ensures system configured to export logs to remote host oval:ssg-test_remote_rsyslog_conf:tst:1 true

Following items have been found on the system:

Path	Content
/etc/rsyslog.conf	. @

Ensures system configured to export logs to remote host oval:ssg-test_remote_rsyslog_d:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/rsyslog.d	.*	^\\.\[\s]+(?:@\|\:omrelp\:)	1

Configure TLS for rsyslog remote logging

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_remote_tls
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_remote_tls:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82457-3 References: BP28(R43), 0988, 1405, AU-9(3), CM-6(a), FCS_TLSC_EXT.1, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
Description	Configure `rsyslog` to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in `/etc/rsyslog.conf` using action. You can use the following command: echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf Replace the `<remote system>` in the above command with an IP address or a host name of the remote logging server.
Rationale	For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted.

OVAL test results details

tests the omfwd action configuration oval:ssg-test_rsyslog_remote_tls:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rsyslog_remote_tls:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	^/etc/rsyslog\.(conf\|d/.+\.conf)$	^\s*action$(?i)type(?-i)="omfwd"(.+?)$	0

Configure CA certificate for rsyslog remote logging

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_remote_tls_cacert:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82458-1 References: BP28(R43), 0988, 1405, FCS_TLSC_EXT.1, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227
Description	Configure CA certificate for `rsyslog` logging to remote server using Transport Layer Security (TLS) using correct path for the `DefaultNetstreamDriverCAFile` global option in `/etc/rsyslog.conf`, for example with the following command: echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf Replace the `/etc/pki/tls/cert.pem` in the above command with the path to the file with CA certificate generated for the purpose of remote logging.
Rationale	The CA certificate needs to be set or `rsyslog.service` fails to start with error: ca certificate is not set, cannot continue

OVAL test results details

tests the DefaultNetstreamDriverCAFile configuration oval:ssg-test_rsyslog_remote_tls_cacert:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/rsyslog\.(conf\|d/.+\.conf)$	^\sglobal$DefaultNetstreamDriverCAFile="(.+?)"$\s\n	0

Ensure Log Files Are Owned By Appropriate Group

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_files_groupownership:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80860-0 References: BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2
Description	The group-owner of all log files written by `rsyslog` should be `root`. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not `root`, run the following command to correct this: $ sudo chgrp root LOGFILE
Rationale	The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL test results details

System log files are owned by the appropriate group oval:ssg-test_rsyslog_files_groupownership:tst:1 true

Following items have been found on the system:

Path	Type	Size (B)	Permissions
/var/log/maillog	regular	0	`rw-------`
/var/log/messages	regular	312093	`rw-------`
/var/log/cron	regular	967	`rw-------`
/var/log/boot.log	regular	7596	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/secure	regular	2482	`rw-------`

Ensure Log Files Are Owned By Appropriate User

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_files_ownership:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80861-8 References: BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2
Description	The owner of all log files written by `rsyslog` should be `root`. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not `root`, run the following command to correct this: $ sudo chown root LOGFILE
Rationale	The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL test results details

System log files are owned by the appropriate user oval:ssg-test_rsyslog_files_ownership:tst:1 true

Following items have been found on the system:

Path	Type	Size (B)	Permissions
/var/log/maillog	regular	0	`rw-------`
/var/log/messages	regular	312093	`rw-------`
/var/log/cron	regular	967	`rw-------`
/var/log/boot.log	regular	7596	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/secure	regular	2482	`rw-------`

Ensure System Log Files Have Correct Permissions

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_files_permissions:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80862-6 References: BP28(R36), 4.2.1.3, CCI-001314, 0988, 1405, CM-6(a), AC-6(1), Req-10.5.1, Req-10.5.2
Description	The file permissions for all log files written by `rsyslog` should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE "
Rationale	Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

OVAL test results details

Permissions of system log files are correct oval:ssg-test_rsyslog_files_permissions:tst:1 true

Following items have been found on the system:

Path	Type	Size (B)	Permissions
/var/log/maillog	regular	0	`rw-------`
/var/log/messages	regular	312093	`rw-------`
/var/log/cron	regular	967	`rw-------`
/var/log/boot.log	regular	7596	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/secure	regular	2482	`rw-------`

Ensure rsyslog-gnutls is installed

Rule ID	xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsyslog-gnutls_installed:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82859-0 References: BP28(R43), CCI-000366, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, RHEL-08-030680, SV-230478r627750_rule
Description	TLS protocol support for rsyslog is installed. The `rsyslog-gnutls` package can be installed with the following command: $ sudo yum install rsyslog-gnutls
Rationale	The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.

OVAL test results details

package rsyslog-gnutls is installed oval:ssg-test_package_rsyslog-gnutls_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rsyslog-gnutls	x86_64	(none)	7.el8_4.2	8.1911.0	0:8.1911.0-7.el8_4.2	199e2f91fd431d51	rsyslog-gnutls-0:8.1911.0-7.el8_4.2.x86_64

Ensure rsyslog is Installed

Rule ID	xccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsyslog_installed:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80847-7 References: BP28(R5), NT28(R46), 4.2.1.1, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, SV-230477r627750_rule
Description	Rsyslog is installed by default. The `rsyslog` package can be installed with the following command: $ sudo yum install rsyslog
Rationale	The rsyslog package provides the rsyslog daemon, which provides system logging services.

OVAL test results details

package rsyslog is installed oval:ssg-test_package_rsyslog_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rsyslog	x86_64	(none)	7.el8_4.2	8.1911.0	0:8.1911.0-7.el8_4.2	199e2f91fd431d51	rsyslog-0:8.1911.0-7.el8_4.2.x86_64

Enable rsyslog Service

Rule ID	xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_rsyslog_enabled:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80886-5 References: BP28(R5), NT28(R46), 4.2.1.2, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, SV-230298r627750_rule
Description	The `rsyslog` service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The `rsyslog` service can be enabled with the following command: $ sudo systemctl enable rsyslog.service
Rationale	The `rsyslog` service must be running in order to provide logging services, which are essential to system administration.

OVAL test results details

package rsyslog is installed oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rsyslog	x86_64	(none)	7.el8_4.2	8.1911.0	0:8.1911.0-7.el8_4.2	199e2f91fd431d51	rsyslog-0:8.1911.0-7.el8_4.2.x86_64

Test that the rsyslog service is running oval:ssg-test_service_running_rsyslog:tst:1 true

Following items have been found on the system:

Unit	Property	Value
rsyslog.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_rsyslog:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	var-tmp.mount	var.mount	sysinit.target	plymouth-read-write.service	lvm2-monitor.service	cryptsetup.target	systemd-hwdb-update.service	sys-kernel-debug.mount	local-fs.target	-.mount	srv.mount	opt.mount	home.mount	var-log.mount	tmp.mount	var-log-audit.mount	usr.mount	boot.mount	systemd-remount-fs.service	ostree-remount.service	lvm2-lvmpolld.socket	systemd-journal-flush.service	nis-domainname.service	iscsi-onboot.service	ldconfig.service	systemd-udevd.service	systemd-journal-catalog-update.service	systemd-update-utmp.service	systemd-random-seed.service	plymouth-start.service	dev-mqueue.mount	systemd-tmpfiles-setup.service	systemd-update-done.service	systemd-sysctl.service	systemd-modules-load.service	proc-sys-fs-binfmt_misc.automount	systemd-binfmt.service	selinux-autorelabel-mark.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	dev-hugepages.mount	systemd-udev-trigger.service	systemd-machine-id-commit.service	systemd-sysusers.service	import-state.service	systemd-firstboot.service	sys-kernel-config.mount	loadmodules.service	swap.target	dev-mapper-rhel\x2dswap.swap	kmod-static-nodes.service	multipathd.service	systemd-tmpfiles-setup-dev.service	systemd-journald.service	dracut-shutdown.service	paths.target	timers.target	dnf-makecache.timer	dnf-automatic.timer	mlocate-updatedb.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	sockets.target	systemd-journald.socket	avahi-daemon.socket	systemd-journald-dev-log.socket	dm-event.socket	libvirtd-ro.socket	dbus.socket	libvirtd.socket	virtlogd.socket	virtlockd.socket	systemd-coredump.socket	iscsiuio.socket	systemd-udevd-kernel.socket	multipathd.socket	systemd-initctl.socket	iscsid.socket	cups.socket	systemd-udevd-control.socket	rpcbind.socket	sssd-kcm.socket	microcode.service	mdmonitor.service	smartd.service	sssd.service	plymouth-quit-wait.service	auditd.service	nfs-client.target	auth-rpcgss-module.service	rpc-statd-notify.service	remote-fs-pre.target	getty.target	getty@tty1.service	vdo.service	plymouth-quit.service	mcelog.service	systemd-ask-password-wall.path	ksm.service	tuned.service	rpcbind.service	rsyslog.service	ModemManager.service	chronyd.service	systemd-logind.service	systemd-update-utmp-runlevel.service	crond.service	NetworkManager.service	libstoragemgmt.service	vmtoolsd.service	sshd.service	ksmtuned.service	firewalld.service	irqbalance.service	cups.service	systemd-user-sessions.service	rhsmcertd.service	avahi-daemon.service	dbus.service	kdump.service	libvirtd.service	cups.path	remote-fs.target	iscsi.service	var-lib-machines.mount	atd.service

systemd test oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	var-tmp.mount	var.mount	sysinit.target	plymouth-read-write.service	lvm2-monitor.service	cryptsetup.target	systemd-hwdb-update.service	sys-kernel-debug.mount	local-fs.target	-.mount	srv.mount	opt.mount	home.mount	var-log.mount	tmp.mount	var-log-audit.mount	usr.mount	boot.mount	systemd-remount-fs.service	ostree-remount.service	lvm2-lvmpolld.socket	systemd-journal-flush.service	nis-domainname.service	iscsi-onboot.service	ldconfig.service	systemd-udevd.service	systemd-journal-catalog-update.service	systemd-update-utmp.service	systemd-random-seed.service	plymouth-start.service	dev-mqueue.mount	systemd-tmpfiles-setup.service	systemd-update-done.service	systemd-sysctl.service	systemd-modules-load.service	proc-sys-fs-binfmt_misc.automount	systemd-binfmt.service	selinux-autorelabel-mark.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	dev-hugepages.mount	systemd-udev-trigger.service	systemd-machine-id-commit.service	systemd-sysusers.service	import-state.service	systemd-firstboot.service	sys-kernel-config.mount	loadmodules.service	swap.target	dev-mapper-rhel\x2dswap.swap	kmod-static-nodes.service	multipathd.service	systemd-tmpfiles-setup-dev.service	systemd-journald.service	dracut-shutdown.service	paths.target	timers.target	dnf-makecache.timer	dnf-automatic.timer	mlocate-updatedb.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	sockets.target	systemd-journald.socket	avahi-daemon.socket	systemd-journald-dev-log.socket	dm-event.socket	libvirtd-ro.socket	dbus.socket	libvirtd.socket	virtlogd.socket	virtlockd.socket	systemd-coredump.socket	iscsiuio.socket	systemd-udevd-kernel.socket	multipathd.socket	systemd-initctl.socket	iscsid.socket	cups.socket	systemd-udevd-control.socket	rpcbind.socket	sssd-kcm.socket	microcode.service	mdmonitor.service	smartd.service	sssd.service	plymouth-quit-wait.service	auditd.service	nfs-client.target	auth-rpcgss-module.service	rpc-statd-notify.service	remote-fs-pre.target	getty.target	getty@tty1.service	vdo.service	plymouth-quit.service	mcelog.service	systemd-ask-password-wall.path	ksm.service	tuned.service	rpcbind.service	rsyslog.service	ModemManager.service	chronyd.service	systemd-logind.service	systemd-update-utmp-runlevel.service	crond.service	NetworkManager.service	libstoragemgmt.service	vmtoolsd.service	sshd.service	ksmtuned.service	firewalld.service	irqbalance.service	cups.service	systemd-user-sessions.service	rhsmcertd.service	avahi-daemon.service	dbus.service	kdump.service	libvirtd.service	cups.path	remote-fs.target	iscsi.service	var-lib-machines.mount	atd.service

Verify Permissions on gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_gshadow:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80811-3 References: BP28(R36), 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	To properly set the permissions of `/etc/gshadow`, run the command: $ sudo chmod 0000 /etc/gshadow
Rationale	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/gshadow oval:ssg-test_file_permissions_etc_gshadow:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_gshadow:obj:1 of type file_object

Filepath	Filter
/etc/gshadow	oval:ssg-state_file_permissions_etc_gshadow_mode_not_0000:ste:1

Verify Permissions on group File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_group:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80810-5 References: BP28(R36), 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
Description	To properly set the permissions of `/etc/passwd`, run the command: $ sudo chmod 0644 /etc/passwd
Rationale	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing mode of /etc/group oval:ssg-test_file_permissions_etc_group:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_group:obj:1 of type file_object

Filepath	Filter
/etc/group	oval:ssg-state_file_permissions_etc_group_mode_not_0644:ste:1

Verify Permissions on shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_shadow:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80813-9 References: BP28(R36), 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
Description	To properly set the permissions of `/etc/shadow`, run the command: $ sudo chmod 0000 /etc/shadow
Rationale	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL test results details

Testing mode of /etc/shadow oval:ssg-test_file_permissions_etc_shadow:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_shadow:obj:1 of type file_object

Filepath	Filter
/etc/shadow	oval:ssg-state_file_permissions_etc_shadow_mode_not_0000:ste:1

Verify User Who Owns gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_gshadow:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80802-2 References: BP28(R36), 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	To properly set the owner of `/etc/gshadow`, run the command: $ sudo chown root /etc/gshadow
Rationale	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/gshadow oval:ssg-test_file_owner_etc_gshadow:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/gshadow	regular	0	0	771	`---------`

Verify User Who Owns shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_shadow:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80804-8 References: BP28(R36), 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
Description	To properly set the owner of `/etc/shadow`, run the command: $ sudo chown root /etc/shadow
Rationale	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL test results details

Testing user ownership of /etc/shadow oval:ssg-test_file_owner_etc_shadow:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/shadow	regular	0	0	1309	`---------`

Verify Permissions on passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_passwd:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80812-1 References: BP28(R36), 6.1.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
Description	To properly set the permissions of `/etc/passwd`, run the command: $ sudo chmod 0644 /etc/passwd
Rationale	If the `/etc/passwd` file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/passwd oval:ssg-test_file_permissions_etc_passwd:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_passwd:obj:1 of type file_object

Filepath	Filter
/etc/passwd	oval:ssg-state_file_permissions_etc_passwd_mode_not_0644:ste:1

Enable Kernel Parameter to Enforce DAC on Symlinks

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_fs_protected_symlinks:def:1
Time	2021-06-18T12:02:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81030-9 References: BP28(R23), CCI-002165, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125, RHEL-08-010373, SV-230267r627750_rule
Description	To set the runtime status of the `fs.protected_symlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_symlinks = 1
Rationale	By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.

OVAL test results details

fs.protected_symlinks static configuration oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	fs.protected_symlinks = 1

kernel runtime parameter fs.protected_symlinks set to 1 oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1 true

Following items have been found on the system:

Name	Value
fs.protected_symlinks	1

Ensure All World-Writable Directories Are Owned by root user

Rule ID xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dir_perms_world_writable_root_owned:def:1

Time 2021-06-18T12:03:27+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83375-6

References: BP28(R40), CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010700, SV-230318r627750_rule

Description

All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Remediation Shell script ⇲

#!/bin/bash

find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Strategy:	restrict

- name: Configure excluded (non local) file systems
  set_fact:
    excluded_fstypes:
      - afs
      - ceph
      - cifs
      - smb3
      - smbfs
      - sshfs
      - ncpfs
      - ncp
      - nfs
      - nfs4
      - gfs
      - gfs2
      - glusterfs
      - gpfs
      - pvfs2
      - ocfs2
      - lustre
      - davfs
      - fuse.sshfs
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Create empty list of excluded paths
  set_fact:
    excluded_paths: []
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Detect nonlocal file systems and add them to excluded paths
  set_fact:
    excluded_paths: '{{ excluded_paths | union([item.mount]) }}'
  loop: '{{ ansible_mounts }}'
  when: item.fstype in excluded_fstypes
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Find all directories excluding non-local partitions
  find:
    paths: /
    excludes: excluded_paths
    file_type: directory
    hidden: true
    recurse: true
  register: found_dirs
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Create list of world writable directories
  set_fact:
    world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}'
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

- name: Change owner to root on directories which are world writable
  file:
    path: '{{ item.path }}'
    owner: root
  loop: '{{ world_writable_dirs }}'
  ignore_errors: true
  tags:
    - CCE-83375-6
    - DISA-STIG-RHEL-08-010700
    - dir_perms_world_writable_root_owned
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

OVAL test results details

check for local directories that are world writable and have uid greater than 0 oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/tmp/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_test/.ICE-unix/	directory	1000	1000	18	`rwxrwxrwxt`

Enable Kernel Parameter to Enforce DAC on Hardlinks

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_fs_protected_hardlinks:def:1
Time	2021-06-18T12:03:27+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81027-5 References: BP28(R23), CCI-002165, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125, RHEL-08-010374, SV-230268r627750_rule
Description	To set the runtime status of the `fs.protected_hardlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_hardlinks = 1
Rationale	By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.

OVAL test results details

fs.protected_hardlinks static configuration oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	fs.protected_hardlinks = 1

kernel runtime parameter fs.protected_hardlinks set to 1 oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1 true

Following items have been found on the system:

Name	Value
fs.protected_hardlinks	1

Ensure All SGID Executables Are Authorized

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_unauthorized_sgid:def:1
Time	2021-06-18T12:04:43+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80816-2 References: BP28(R37), BP28(R38), 6.1.14, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review.
Rationale	Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

OVAL test results details

sgid files outside system RPMs oval:ssg-test_file_permissions_unauthorized_sgid:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_file_permissions_unauthorized_sgid_unowned:obj:1 of type file_object

Behaviors	Path	Filename	Filter	Filter
no value	/	^.*$	oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1	oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1

Ensure All SUID Executables Are Authorized

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_unauthorized_suid:def:1
Time	2021-06-18T12:05:12+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80817-0 References: BP28(R37), BP28(R38), 6.1.13, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review.
Rationale	Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

OVAL test results details

suid files outside system RPMs oval:ssg-test_file_permissions_unauthorized_suid:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_file_permissions_unauthorized_suid_unowned:obj:1 of type file_object

Behaviors	Path	Filename	Filter	Filter
no value	/	^.*$	oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1	oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1

Verify that All World-Writable Directories Have Sticky Bits Set

Rule ID	xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_perms_world_writable_sticky_bits:def:1
Time	2021-06-18T12:05:14+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80783-4 References: BP28(R40), 1.1.21, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, SV-230243r627750_rule
Description	When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR
Rationale	Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as `/tmp`), and for directories requiring global read/write access.

OVAL test results details

all local world-writable directories have sticky bit set oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_only_local_directories:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/	no value	oval:ssg-state_world_writable_and_not_sticky:ste:1

Ensure No World-Writable Files Exist

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_unauthorized_world_writable:def:1
Time	2021-06-18T12:05:30+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80818-8 References: BP28(R40), 6.1.10, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as `sysfs` or `procfs`.
Rationale	Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

OVAL test results details

world writable files oval:ssg-test_file_permissions_unauthorized_world_write:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_unauthorized_world_write:obj:1 of type file_object

Behaviors	Path	Filename	Filter	Filter	Filter	Filter
no value	/	^.*$	oval:ssg-state_file_permissions_unauthorized_world_write:ste:1	oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1	oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1	oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1

Add nosuid Option to /var

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_nosuid:def:1
Time	2021-06-18T12:05:31+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83383-0 References: BP28(R12)
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var`. The SUID and SGID permissions should not be required for this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.
Rationale	The presence of SUID and SGID executables should be tightly controlled.

OVAL test results details

nosuid on /var oval:ssg-test_var_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var	/dev/mapper/rhel-var	3b9bf26c-12ea-4f64-abc1-3fac0b5d2263	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	783872	64665	719207

Add noexec Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_tmp_noexec:def:1
Time	2021-06-18T12:05:31+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82151-2 References: BP28(R12), 1.1.10, CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, SV-230522r627750_rule
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/var/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

OVAL test results details

noexec on /var/tmp oval:ssg-test_var_tmp_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/tmp	/dev/mapper/rhel-var_tmp	5cdb94cd-dc68-4f07-aca4-c8f069f590f1	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10098	249486

Add noexec Option to /home

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_home_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_home_noexec:def:1
Time	2021-06-18T12:05:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83328-5 References: BP28(R12)
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/home`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.
Rationale	The `/home` directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.

OVAL test results details

noexec on /home oval:ssg-test_home_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	249c85b7-b274-4df5-8ef4-8790ff211f6a	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	13527	246057

Add noexec Option to /var

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_noexec:def:1
Time	2021-06-18T12:05:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83330-1 References: BP28(R12)
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.
Rationale	The `/var` directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.

OVAL test results details

noexec on /var oval:ssg-test_var_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var	/dev/mapper/rhel-var	3b9bf26c-12ea-4f64-abc1-3fac0b5d2263	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	783872	64660	719212

Add noexec Option to /boot

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_boot_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_boot_noexec:def:1
Time	2021-06-18T12:05:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83316-0 References: BP28(R12)
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/boot`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/boot`.
Rationale	The `/boot` partition contains the kernel and the bootloader. No binaries should be executed from this partition after the booting process finishes.

OVAL test results details

noexec on /boot oval:ssg-test_boot_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	9bdb2e77-09b5-4440-bb45-2979a88c80fd	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	129704	59981	69723

Add nosuid Option to /var/log

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_log_nosuid:def:1
Time	2021-06-18T12:05:32+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82065-4 References: BP28(R12), CCI-001764, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, SV-230515r627750_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/log`. The SUID and SGID permissions should not be required in directories containing log files. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

OVAL test results details

nosuid on /var/log oval:ssg-test_var_log_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/log	/dev/mapper/rhel-var_log	54ebd97a-fc48-4ff8-9e66-637df9cbc902	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	12678	246906

Add nosuid Option to /opt

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_opt_nosuid:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83319-4 References: BP28(R12)
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/opt`. The SUID and SGID permissions should not be required in this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/opt`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. The `/opt` directory contains additional software packages. Users should not be able to execute SUID or SGID binaries from this directory.

OVAL test results details

nosuid on /opt oval:ssg-test_opt_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/opt	/dev/mapper/rhel-opt	77ae06e9-6dd5-4e0a-b037-f3613a9d7b52	xfs	rw	seclabel	nosuid	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10073	249511

Add nosuid Option to /boot

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_boot_nosuid:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81033-3 References: BP28(R12), CCI-000366, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010571, SV-230300r627750_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/boot`. The SUID and SGID permissions should not be required on the boot partition. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/boot`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.

OVAL test results details

nosuid on /boot oval:ssg-test_boot_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	9bdb2e77-09b5-4440-bb45-2979a88c80fd	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	129704	59981	69723

Add noexec Option to /var/log

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_log_noexec:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82008-4 References: BP28(R12), CCI-001764, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, SV-230516r627750_rule
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/log`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.
Rationale	Allowing users to execute binaries from directories containing log files such as `/var/log` should never be necessary in normal operation and can expose the system to potential compromise.

OVAL test results details

noexec on /var/log oval:ssg-test_var_log_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/log	/dev/mapper/rhel-var_log	54ebd97a-fc48-4ff8-9e66-637df9cbc902	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	12678	246906

Add noexec Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_tmp_noexec:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82139-7 References: BP28(R12), 1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, SV-230513r627750_rule
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

OVAL test results details

noexec on /tmp oval:ssg-test_tmp_partition_noexec:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/tmp	/dev/mapper/rhel-tmp	7046abce-80d6-421c-bff3-99e32bc334a2	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10119	249465

Add nosuid Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_tmp_nosuid:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82140-5 References: BP28(R12), 1.1.4, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, SV-230512r627750_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

OVAL test results details

nosuid on /tmp oval:ssg-test_tmp_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/tmp	/dev/mapper/rhel-tmp	7046abce-80d6-421c-bff3-99e32bc334a2	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10119	249465

Add nosuid Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_var_tmp_nosuid:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82154-6 References: BP28(R12), 1.1.9, CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, SV-230521r627750_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

OVAL test results details

nosuid on /var/tmp oval:ssg-test_var_tmp_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/tmp	/dev/mapper/rhel-var_tmp	5cdb94cd-dc68-4f07-aca4-c8f069f590f1	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10098	249486

Add nosuid Option to /home

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_home_nosuid:def:1
Time	2021-06-18T12:05:33+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81050-7 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, SV-230299r627750_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/home`. The SUID and SGID permissions should not be required in these user data directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

OVAL test results details

nosuid on /home oval:ssg-test_home_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	249c85b7-b274-4df5-8ef4-8790ff211f6a	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	13527	246057

Add nodev Option to Non-Root Local Partitions

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
Time	2021-06-18T12:05:34+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82069-6 References: BP28(R12), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010580, SV-230301r627750_rule
Description	The `nodev` mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of any non-root local partitions.
Rationale	The `nodev` mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set `nodev` on these filesystems.

OVAL test results details

nodev on local filesystems oval:ssg-test_nodev_nonroot_local_partitions:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_non_root_partitions:obj:1 of type partition_object

Mount point	Filter
^/\w.*$	oval:ssg-state_local_nodev:ste:1

Add nosuid Option to /srv

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_srv_nosuid:def:1
Time	2021-06-18T12:05:34+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83322-8 References: BP28(R12)
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/srv`. The SUID and SGID permissions should not be required in this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/srv`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. The `/srv` directory contains files served by various network services such as FTP. Users should not be able to execute SUID or SGID binaries from this directory.

OVAL test results details

nosuid on /srv oval:ssg-test_srv_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/srv	/dev/mapper/rhel-srv	77751d51-5128-44d4-b904-41179eafa70e	xfs	rw	seclabel	nosuid	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	10073	249511

Enable NX or XD Support in the BIOS

Rule ID	xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
Result	notchecked
Multi-check rule	no
Time	2021-06-18T12:05:35+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83918-3 References: BP28(R9), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.7, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, SC-39, CM-6(a), PR.IP-1
Description	Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.
Rationale	Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.
Evaluation messages info No candidate or applicable check found.

Install PAE Kernel on Supported 32-bit x86 Systems

Rule ID	xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-install_PAE_kernel_on_x86-32:def:1
Time	2021-06-18T12:05:35+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83919-1 References: BP28(R9), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.7, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), PR.IP-1
Description	Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The `kernel-PAE` package can be installed with the following command: $ sudo yum install kernel-PAE The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify `/etc/default/grub` if necessary.
Rationale	On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
Warnings	warning The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as 8this may prevent them from booting.8

OVAL test results details

32 bit architecture oval:ssg-test_system_info_architecture_x86:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

CPUs support PAE kernel or NX bit oval:ssg-test_PAE_NX_cpu_support:tst:1 true

Following items have been found on the system:

Path	Content
/proc/cpuinfo	flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities

32 bit architecture oval:ssg-test_system_info_architecture_x86:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

Package kernel-PAE is installed oval:ssg-test_package_kernel-PAE_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_package_kernel-PAE_installed:obj:1 of type rpminfo_object

Name
kernel-PAE

check for DEFAULTKERNEL set to kernel-PAE in /etc/sysconfig/kernel oval:ssg-test_defaultkernel_sysconfig_kernel:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_defaultkernel_sysconfig_kernel:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/kernel	^\sDEFAULTKERNEL[\s]=[\s]*kernel-PAE$	1

Enable Randomized Layout of Virtual Address Space

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_randomize_va_space:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80916-0 References: BP28(R23), 1.6.2, 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, SV-230280r627750_rule
Description	To set the runtime status of the `kernel.randomize_va_space` kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.randomize_va_space = 2
Rationale	Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

OVAL test results details

kernel.randomize_va_space static configuration oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.randomize_va_space = 2

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.randomize_va_space = 2

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.randomize_va_space[\s]=[\s]2[\s]$	1

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.randomize_va_space[\s]=[\s]2[\s]$	1

kernel runtime parameter kernel.randomize_va_space set to 2 oval:ssg-test_sysctl_runtime_kernel_randomize_va_space:tst:1 true

Following items have been found on the system:

Name	Value
kernel.randomize_va_space	2

Restrict Exposed Kernel Pointer Addresses Access

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_kptr_restrict:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80915-2 References: BP28(R23), CCI-000366, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, RHEL-08-040283, SV-230547r627750_rule
Description	To set the runtime status of the `kernel.kptr_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.kptr_restrict = 1
Rationale	Exposing kernel pointers (through procfs or `seq_printf()`) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0.

OVAL test results details

kernel.kptr_restrict static configuration oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	kernel.kptr_restrict = 1

kernel runtime parameter kernel.kptr_restrict set to 1 oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1 true

Following items have been found on the system:

Name	Value
kernel.kptr_restrict	1

Enable ExecShield via sysctl

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_exec_shield:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80914-5 References: BP28(R9), 12, 15, 8, APO13.01, DSS05.02, 3.1.7, CCI-002530, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-39, CM-6(a), PR.PT-4, SRG-OS-000433-GPOS-00192
Description	By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in `/etc/default/grub`. For Red Hat Enterprise Linux 7 32-bit systems, `sysctl` can be used to enable ExecShield.
Rationale	ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

OVAL test results details

32 bit architecture oval:ssg-test_system_info_architecture_x86:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

kernel runtime parameter kernel.exec-shield set to 1 oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_kernel_exec_shield:obj:1 of type sysctl_object

Name
kernel.exec-shield

kernel.exec-shield static configuration oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.exec-shield[\s]=[\s]1[\s]$	1

64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false

Following items have been found on the system:

Machine class	Node name	Os name	Os release	Os version	Processor type
x86_64	localhost.localdomain	Linux	4.18.0-314.el8.x86_64	#1 SMP Tue Jun 15 11:28:48 EDT 2021	x86_64

NX is disabled oval:ssg-test_nx_disabled_grub:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_nx_disabled_grub:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/grub.cfg	[\s]noexec[\s]=[\s]*off	1

Disable Core Dumps for SUID programs

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_fs_suid_dumpable:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80912-9 References: BP28(R23), 1.6.1, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b)
Description	To set the runtime status of the `fs.suid_dumpable` kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.suid_dumpable = 0
Rationale	The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

OVAL test results details

fs.suid_dumpable static configuration oval:ssg-test_static_sysctl_fs_suid_dumpable:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	fs.suid_dumpable = 0

fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_fs_suid_dumpable:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	fs.suid_dumpable = 0

fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_fs_suid_dumpable:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_fs_suid_dumpable:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]fs.suid_dumpable[\s]=[\s]0[\s]$	1

fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_fs_suid_dumpable:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_fs_suid_dumpable:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]fs.suid_dumpable[\s]=[\s]0[\s]$	1

kernel runtime parameter fs.suid_dumpable set to 0 oval:ssg-test_sysctl_runtime_fs_suid_dumpable:tst:1 true

Following items have been found on the system:

Name	Value
fs.suid_dumpable	0

Limit CPU consumption of the Perf system

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_perf_cpu_time_max_percent:def:1
Time	2021-06-18T12:05:34+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83373-1 References: BP28(R23)
Description	To set the runtime status of the `kernel.perf_cpu_time_max_percent` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_cpu_time_max_percent = 1
Rationale	The `kernel.perf_cpu_time_max_percent` configures a treshold of maximum percentile of CPU that can be used by Perf system. Restricting usage of `Perf` system decreases risk of potential availability problems.

OVAL test results details

kernel.perf_cpu_time_max_percent static configuration oval:ssg-test_static_sysctl_kernel_perf_cpu_time_max_percent:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.perf_cpu_time_max_percent = 1

kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_perf_cpu_time_max_percent:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.perf_cpu_time_max_percent = 1

kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_perf_cpu_time_max_percent:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_perf_cpu_time_max_percent:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.perf_cpu_time_max_percent[\s]=[\s]1[\s]$	1

kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.perf_cpu_time_max_percent[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.perf_cpu_time_max_percent set to 1 oval:ssg-test_sysctl_runtime_kernel_perf_cpu_time_max_percent:tst:1 true

Following items have been found on the system:

Name	Value
kernel.perf_cpu_time_max_percent	1

Disable loading and unloading of kernel modules

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_modules_disabled:def:1

Time 2021-06-18T12:05:34+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83397-0

References: BP28(R24)

Description

To set the runtime status of the kernel.modules_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.modules_disabled=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.modules_disabled = 1

Rationale

Malicious kernel modules can have a significant impact on system security and availability. Disabling loading of kernel modules prevents this threat. Note that once this option has been set, it cannot be reverted without doing a system reboot. Make sure that all needed kernel modules are loaded before setting this option.

Warnings

warning This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process.

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.modules_disabled is set to 1
  sysctl:
    name: kernel.modules_disabled
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
    - CCE-83397-0
    - disable_strategy
    - low_complexity
    - medium_disruption
    - medium_severity
    - reboot_required
    - sysctl_kernel_modules_disabled

OVAL test results details

kernel.modules_disabled static configuration oval:ssg-test_static_sysctl_kernel_modules_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_modules_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.modules_disabled[\s]=[\s]1[\s]$	1

kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_modules_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_modules_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.modules_disabled[\s]=[\s]1[\s]$	1

kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_modules_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_modules_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.modules_disabled[\s]=[\s]1[\s]$	1

kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_modules_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_modules_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.modules_disabled[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.modules_disabled set to 1 oval:ssg-test_sysctl_runtime_kernel_modules_disabled:tst:1 false

Following items have been found on the system:

Name	Value
kernel.modules_disabled	0

Restrict Access to Kernel Message Buffer

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_dmesg_restrict:def:1
Time	2021-06-18T12:05:34+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80913-7 References: BP28(R23), 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010375, SV-230269r627750_rule
Description	To set the runtime status of the `kernel.dmesg_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.dmesg_restrict = 1
Rationale	Unprivileged access to the kernel syslog can expose sensitive kernel address information.

OVAL test results details

kernel.dmesg_restrict static configuration oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.dmesg_restrict = 1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.dmesg_restrict = 1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.dmesg_restrict set to 1 oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1 true

Following items have been found on the system:

Name	Value
kernel.dmesg_restrict	1

Disallow magic SysRq key

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_sysrq:def:1
Time	2021-06-18T12:05:34+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83355-8 References: BP28(R23)
Description	To set the runtime status of the `kernel.sysrq` kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.sysrq = 0
Rationale	The Magic SysRq key allows sending certain commands directly to the running kernel. It can dump various system and process information, potentially revealing sensitive information. It can also reboot or shutdown the machine, disturbing its availability.

OVAL test results details

kernel.sysrq static configuration oval:ssg-test_static_sysctl_kernel_sysrq:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.sysrq = 0

kernel.sysrq static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_sysrq:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.sysrq = 0

kernel.sysrq static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_sysrq:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_sysrq:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.sysrq[\s]=[\s]0[\s]$	1

kernel.sysrq static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_sysrq:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_sysrq:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.sysrq[\s]=[\s]0[\s]$	1

kernel runtime parameter kernel.sysrq set to 0 oval:ssg-test_sysctl_runtime_kernel_sysrq:tst:1 true

Following items have been found on the system:

Name	Value
kernel.sysrq	0

Configure maximum number of process identifiers

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_pid_max:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83366-5 References: BP28(R23)
Description	To set the runtime status of the `kernel.pid_max` kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.pid_max = 65536
Rationale	The `kernel.pid_max` parameter configures upper limit on process identifiers (PID). If this number is not high enough, it might happen that forking of new processes is not possible, because all available PIDs are exhausted. Increasing this number enhances availability.

OVAL test results details

kernel.pid_max static configuration oval:ssg-test_static_sysctl_kernel_pid_max:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.pid_max = 65536

kernel.pid_max static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_pid_max:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.pid_max = 65536

kernel.pid_max static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_pid_max:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_pid_max:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.pid_max[\s]=[\s]65536[\s]$	1

kernel.pid_max static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_pid_max:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_pid_max:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.pid_max[\s]=[\s]65536[\s]$	1

kernel runtime parameter kernel.pid_max set to 65536 oval:ssg-test_sysctl_runtime_kernel_pid_max:tst:1 true

Following items have been found on the system:

Name	Value
kernel.pid_max	65536

Restrict usage of ptrace to descendant processes

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80953-3 References: BP28(R25), CCI-000366, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040282, SV-230546r627750_rule
Description	To set the runtime status of the `kernel.yama.ptrace_scope` kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.yama.ptrace_scope = 1
Rationale	Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

OVAL test results details

kernel.yama.ptrace_scope static configuration oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.yama.ptrace_scope = 1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.yama.ptrace_scope = 1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.yama.ptrace_scope set to 1 oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1 true

Following items have been found on the system:

Name	Value
kernel.yama.ptrace_scope	1

Limit sampling frequency of the Perf system

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_perf_event_max_sample_rate:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83368-1 References: BP28(R23)
Description	To set the runtime status of the `kernel.perf_event_max_sample_rate` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_event_max_sample_rate = 1
Rationale	The `kernel.perf_event_max_sample_rate` parameter configures maximum frequency of collecting of samples for the Perf system. It is expressed in samples per second. Restricting usage of `Perf` system decreases risk of potential availability problems.

OVAL test results details

kernel.perf_event_max_sample_rate static configuration oval:ssg-test_static_sysctl_kernel_perf_event_max_sample_rate:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.perf_event_max_sample_rate = 1

kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_perf_event_max_sample_rate:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.perf_event_max_sample_rate = 1

kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_perf_event_max_sample_rate:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_perf_event_max_sample_rate:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_max_sample_rate[\s]=[\s]1[\s]$	1

kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_max_sample_rate[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.perf_event_max_sample_rate set to 1 oval:ssg-test_sysctl_runtime_kernel_perf_event_max_sample_rate:tst:1 true

Following items have been found on the system:

Name	Value
kernel.perf_event_max_sample_rate	1

Disallow kernel profiling by unprivileged users

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_perf_event_paranoid:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81054-9 References: BP28(R23), CCI-001090, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010376, SV-230270r627750_rule
Description	To set the runtime status of the `kernel.perf_event_paranoid` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_event_paranoid = 2
Rationale	Kernel profiling can reveal sensitive information about kernel behaviour.

OVAL test results details

kernel.perf_event_paranoid static configuration oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	kernel.perf_event_paranoid = 2

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	kernel.perf_event_paranoid = 2

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel runtime parameter kernel.perf_event_paranoid set to 2 oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1 true

Following items have been found on the system:

Name	Value
kernel.perf_event_paranoid	2

Prevent applications from mapping low portion of virtual memory

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_vm_mmap_min_addr:def:1
Time	2021-06-18T12:05:35+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83363-2 References: BP28(R23)
Description	To set the runtime status of the `vm.mmap_min_addr` kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: vm.mmap_min_addr = 65536
Rationale	The `vm.mmap_min_addr` parameter specifies the minimum virtual address that a process is allowed to mmap. Allowing a process to mmap low portion of virtual memory can have security implications such as such as heightened risk of kernel null pointer dereference defects.

OVAL test results details

vm.mmap_min_addr static configuration oval:ssg-test_static_sysctl_vm_mmap_min_addr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	vm.mmap_min_addr = 65536

vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_vm_mmap_min_addr:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	vm.mmap_min_addr = 65536

vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_vm_mmap_min_addr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_vm_mmap_min_addr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]vm.mmap_min_addr[\s]=[\s]65536[\s]$	1

vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_vm_mmap_min_addr:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_vm_mmap_min_addr:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]vm.mmap_min_addr[\s]=[\s]65536[\s]$	1

kernel runtime parameter vm.mmap_min_addr set to 65536 oval:ssg-test_sysctl_runtime_vm_mmap_min_addr:tst:1 true

Following items have been found on the system:

Name	Value
vm.mmap_min_addr	65536

Set Boot Loader Password in grub2

Rule ID	xccdf_org.ssgproject.content_rule_grub2_password
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_password:def:1
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80828-7 References: BP28(R17), 1.5.2, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, SV-230235r627750_rule
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. Once the superuser password has been added, update the `grub.cfg` file by running: grub2-mkconfig -o /boot/grub2/grub.cfg
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

OVAL test results details

Check if /boot/grub2/grub.cfg does not exist oval:ssg-test_grub2_password_file_boot_grub2_grub_cfg_absent:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/boot/grub2/grub.cfg	regular	0	0	6460	`rw-r--r--`

make sure a password is defined in /boot/grub2/user.cfg oval:ssg-test_grub2_password_usercfg:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_password_usercfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/user.cfg	^[\s]GRUB2_PASSWORD=grub\.pbkdf2\.sha512.$	1

make sure a password is defined in /boot/grub2/grub.cfg oval:ssg-test_grub2_password_grubcfg:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_password_grubcfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/grub.cfg	^[\s]password_pbkdf2[\s]+.[\s]+grub\.pbkdf2\.sha512.*$	1

superuser is defined in /boot/grub2/grub.cfg files. oval:ssg-test_bootloader_superuser:tst:1 true

Following items have been found on the system:

Path	Content
/boot/grub2/grub.cfg	set superusers="root"

Set the UEFI Boot Loader Password

Rule ID	xccdf_org.ssgproject.content_rule_grub2_uefi_password
Result	notapplicable
Multi-check rule	no
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80829-5 References: BP28(R17), 1.5.2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, SV-230234r627750_rule
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. Once the superuser password has been added, update the `grub.cfg` file by running: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

IOMMU configuration directive

Rule ID	xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_enable_iommu_force:def:1
Time	2021-06-18T12:05:35+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-83920-9 References: BP28(R11)
Description	On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory.
Rationale	On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices.
Warnings	warning Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.

OVAL test results details

check forkernel command line parameters iommu=force in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_iommu_argument_grub_env:tst:1 true

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rd.lvm.lv=rhel/usr rhgb quiet iommu=force

Enable the deny_execmem SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_deny_execmem
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_deny_execmem:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83307-9 References: BP28(R67)
Description	By default, the SELinux boolean `deny_execmem` is disabled. If this setting is disabled, it should be enabled. To disable the `deny_execmem` SELinux boolean, run the following command: $ sudo setsebool -P deny_execmem off
Rationale	Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.
Warnings	warning This rule doesn't come with a remediation, as enabling this SELinux boolean can cause applications to malfunction, for example Graphical login managers and Firefox. warning Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.

OVAL test results details

deny_execmem is configured correctly oval:ssg-test_sebool_deny_execmem:tst:1 false

Following items have been found on the system:

Name	Current status	Pending status
deny_execmem	false	false

Disable the secure_mode_insmod SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_secure_mode_insmod:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83310-3 References: BP28(R67)
Description	By default, the SELinux boolean `secure_mode_insmod` is disabled. If this setting is enabled, it should be disabled. To disable the `secure_mode_insmod` SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_insmod off
Rationale

OVAL test results details

secure_mode_insmod is configured correctly oval:ssg-test_sebool_secure_mode_insmod:tst:1 true

Following items have been found on the system:

Name	Current status	Pending status
secure_mode_insmod	true	true

Disable the selinuxuser_execheap SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_selinuxuser_execheap:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80949-1 References: BP28(R67), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
Description	By default, the SELinux boolean `selinuxuser_execheap` is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the `selinuxuser_execheap` SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execheap off
Rationale	Disabling code execution from the heap blocks buffer overflow attacks.

OVAL test results details

selinuxuser_execheap is configured correctly oval:ssg-test_sebool_selinuxuser_execheap:tst:1 true

Following items have been found on the system:

Name	Current status	Pending status
selinuxuser_execheap	false	false

Disable the polyinstantiation_enabled SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_polyinstantiation_enabled:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-84230-2 References: BP28(R39)
Description	By default, the SELinux boolean `polyinstantiation_enabled` is disabled. If this setting is enabled, it should be disabled. To disable the `polyinstantiation_enabled` SELinux boolean, run the following command: $ sudo setsebool -P polyinstantiation_enabled off
Rationale

OVAL test results details

polyinstantiation_enabled is configured correctly oval:ssg-test_sebool_polyinstantiation_enabled:tst:1 true

Following items have been found on the system:

Name	Current status	Pending status
polyinstantiation_enabled	true	true

disable the selinuxuser_execstack SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_selinuxuser_execstack:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80951-7 References: BP28(R67), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
Description	By default, the SELinux boolean `selinuxuser_execstack` is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the `selinuxuser_execstack` SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execstack off
Rationale	Disabling code execution from the stack blocks buffer overflow attacks.

OVAL test results details

selinuxuser_execstack is configured correctly oval:ssg-test_sebool_selinuxuser_execstack:tst:1 true

Following items have been found on the system:

Name	Current status	Pending status
selinuxuser_execstack	false	false

Disable the ssh_sysadm_login SELinux Boolean

Rule ID	xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sebool_ssh_sysadm_login:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83311-1 References: BP28(R67)
Description	By default, the SELinux boolean `ssh_sysadm_login` is disabled. If this setting is enabled, it should be disabled. To disable the `ssh_sysadm_login` SELinux boolean, run the following command: $ sudo setsebool -P ssh_sysadm_login off
Rationale

OVAL test results details

ssh_sysadm_login is configured correctly oval:ssg-test_sebool_ssh_sysadm_login:tst:1 true

Following items have been found on the system:

Name	Current status	Pending status
ssh_sysadm_login	false	false

Uninstall setroubleshoot-plugins Package

Rule ID	xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_setroubleshoot-plugins_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-84250-0 References: BP28(R68)
Description	The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot-plugins` package can be removed with the following command: $ sudo yum erase setroubleshoot-plugins
Rationale	The SETroubleshoot service is an unnecessary daemon to have running on a server.

OVAL test results details

package setroubleshoot-plugins is removed oval:ssg-test_package_setroubleshoot-plugins_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_setroubleshoot-plugins_removed:obj:1 of type rpminfo_object

Name
setroubleshoot-plugins

Uninstall setroubleshoot-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_setroubleshoot-server_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83490-3 References: BP28(R68)
Description	The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot-server` package can be removed with the following command: $ sudo yum erase setroubleshoot-server
Rationale	The SETroubleshoot service is an unnecessary daemon to have running on a server.

OVAL test results details

package setroubleshoot-server is removed oval:ssg-test_package_setroubleshoot-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_setroubleshoot-server_removed:obj:1 of type rpminfo_object

Name
setroubleshoot-server

Uninstall setroubleshoot Package

Rule ID	xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_setroubleshoot_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82755-0 References: BP28(R68), 1.7.1.6
Description	The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot` package can be removed with the following command: $ sudo yum erase setroubleshoot
Rationale	The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.

OVAL test results details

package setroubleshoot is removed oval:ssg-test_package_setroubleshoot_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_setroubleshoot_removed:obj:1 of type rpminfo_object

Name
setroubleshoot

Configure SELinux Policy

Rule ID	xccdf_org.ssgproject.content_rule_selinux_policytype
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_policytype:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80868-3 References: BP28(R66), 1.7.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010450, SV-230282r627750_rule, SRG-OS-000445-VMM-001780
Description	The SELinux `targeted` policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in `/etc/selinux/config`: SELINUXTYPE=targeted Other policies, such as `mls`, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale	Setting the SELinux policy to `targeted` or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in `permissive` mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to `targeted`.

OVAL test results details

Tests the value of the ^[\s]SELINUXTYPE[\s]=[\s]([^#]) expression in the /etc/selinux/config file oval:ssg-test_selinux_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/selinux/config	SELINUXTYPE=targeted

Ensure SELinux State is Enforcing

Rule ID	xccdf_org.ssgproject.content_rule_selinux_state
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_state:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80869-1 References: BP28(R4), BP28(R66), 1.7.1.4, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010170, SV-230240r627750_rule, SRG-OS-000445-VMM-001780
Description	The SELinux state should be set to `enforcing` at system boot time. In the file `/etc/selinux/config`, add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
Rationale	Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

OVAL test results details

/selinux/enforce is 1 oval:ssg-test_etc_selinux_config:tst:1 true

Following items have been found on the system:

Path	Content
/etc/selinux/config	SELINUX=enforcing

Configure System to Forward All Mail For The Root Account

Rule ID	xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-postfix_client_configure_mail_alias:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82381-5 References: BP28(R49), CCI-000139, CCI-000366, CM-6(a), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule
Description	Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address system.administrator@mail.mil is a valid email address reachable from the system in question. Use the following command to configure the alias: $ sudo echo "root: system.administrator@mail.mil" >> /etc/aliases $ sudo newaliases
Rationale	A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.

OVAL test results details

Check if root has the correct mail alias. oval:ssg-test_postfix_client_configure_mail_alias:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aliases	root: system.administrator@mail.mil

Disable Postfix Network Listening

Rule ID	xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-postfix_network_listening_disabled:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82174-4 References: BP28(R48), 2.2.18, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	Edit the file `/etc/postfix/main.cf` to ensure that only the following `inet_interfaces` line appears: inet_interfaces = loopback-only
Rationale	This ensures `postfix` accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

OVAL test results details

package postfix is installed oval:ssg-test_service_postfix_package_postfix_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_postfix_package_postfix_installed:obj:1 of type rpminfo_object

Name
postfix

Test that the postfix service is running oval:ssg-test_service_running_postfix:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_running_postfix:obj:1 of type systemdunitproperty_object

Unit	Property
^postfix\.(socket\|service)$	ActiveState

systemd test oval:ssg-test_multi_user_wants_postfix:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	var-tmp.mount	var.mount	sysinit.target	plymouth-read-write.service	lvm2-monitor.service	cryptsetup.target	systemd-hwdb-update.service	sys-kernel-debug.mount	local-fs.target	-.mount	srv.mount	opt.mount	home.mount	var-log.mount	tmp.mount	var-log-audit.mount	usr.mount	boot.mount	systemd-remount-fs.service	ostree-remount.service	lvm2-lvmpolld.socket	systemd-journal-flush.service	nis-domainname.service	iscsi-onboot.service	ldconfig.service	systemd-udevd.service	systemd-journal-catalog-update.service	systemd-update-utmp.service	systemd-random-seed.service	plymouth-start.service	dev-mqueue.mount	systemd-tmpfiles-setup.service	systemd-update-done.service	systemd-sysctl.service	systemd-modules-load.service	proc-sys-fs-binfmt_misc.automount	systemd-binfmt.service	selinux-autorelabel-mark.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	dev-hugepages.mount	systemd-udev-trigger.service	systemd-machine-id-commit.service	systemd-sysusers.service	import-state.service	systemd-firstboot.service	sys-kernel-config.mount	loadmodules.service	swap.target	dev-mapper-rhel\x2dswap.swap	kmod-static-nodes.service	multipathd.service	systemd-tmpfiles-setup-dev.service	systemd-journald.service	dracut-shutdown.service	paths.target	timers.target	dnf-makecache.timer	dnf-automatic.timer	mlocate-updatedb.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	sockets.target	systemd-journald.socket	avahi-daemon.socket	systemd-journald-dev-log.socket	dm-event.socket	libvirtd-ro.socket	dbus.socket	libvirtd.socket	virtlogd.socket	virtlockd.socket	systemd-coredump.socket	iscsiuio.socket	systemd-udevd-kernel.socket	multipathd.socket	systemd-initctl.socket	iscsid.socket	cups.socket	systemd-udevd-control.socket	rpcbind.socket	sssd-kcm.socket	microcode.service	mdmonitor.service	smartd.service	sssd.service	plymouth-quit-wait.service	auditd.service	nfs-client.target	auth-rpcgss-module.service	rpc-statd-notify.service	remote-fs-pre.target	getty.target	getty@tty1.service	vdo.service	plymouth-quit.service	mcelog.service	systemd-ask-password-wall.path	ksm.service	tuned.service	rpcbind.service	rsyslog.service	ModemManager.service	chronyd.service	systemd-logind.service	systemd-update-utmp-runlevel.service	crond.service	NetworkManager.service	libstoragemgmt.service	vmtoolsd.service	sshd.service	ksmtuned.service	firewalld.service	irqbalance.service	cups.service	systemd-user-sessions.service	rhsmcertd.service	avahi-daemon.service	dbus.service	kdump.service	libvirtd.service	cups.path	remote-fs.target	iscsi.service	var-lib-machines.mount	atd.service

systemd test oval:ssg-test_multi_user_wants_postfix_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	var-tmp.mount	var.mount	sysinit.target	plymouth-read-write.service	lvm2-monitor.service	cryptsetup.target	systemd-hwdb-update.service	sys-kernel-debug.mount	local-fs.target	-.mount	srv.mount	opt.mount	home.mount	var-log.mount	tmp.mount	var-log-audit.mount	usr.mount	boot.mount	systemd-remount-fs.service	ostree-remount.service	lvm2-lvmpolld.socket	systemd-journal-flush.service	nis-domainname.service	iscsi-onboot.service	ldconfig.service	systemd-udevd.service	systemd-journal-catalog-update.service	systemd-update-utmp.service	systemd-random-seed.service	plymouth-start.service	dev-mqueue.mount	systemd-tmpfiles-setup.service	systemd-update-done.service	systemd-sysctl.service	systemd-modules-load.service	proc-sys-fs-binfmt_misc.automount	systemd-binfmt.service	selinux-autorelabel-mark.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	dev-hugepages.mount	systemd-udev-trigger.service	systemd-machine-id-commit.service	systemd-sysusers.service	import-state.service	systemd-firstboot.service	sys-kernel-config.mount	loadmodules.service	swap.target	dev-mapper-rhel\x2dswap.swap	kmod-static-nodes.service	multipathd.service	systemd-tmpfiles-setup-dev.service	systemd-journald.service	dracut-shutdown.service	paths.target	timers.target	dnf-makecache.timer	dnf-automatic.timer	mlocate-updatedb.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	sockets.target	systemd-journald.socket	avahi-daemon.socket	systemd-journald-dev-log.socket	dm-event.socket	libvirtd-ro.socket	dbus.socket	libvirtd.socket	virtlogd.socket	virtlockd.socket	systemd-coredump.socket	iscsiuio.socket	systemd-udevd-kernel.socket	multipathd.socket	systemd-initctl.socket	iscsid.socket	cups.socket	systemd-udevd-control.socket	rpcbind.socket	sssd-kcm.socket	microcode.service	mdmonitor.service	smartd.service	sssd.service	plymouth-quit-wait.service	auditd.service	nfs-client.target	auth-rpcgss-module.service	rpc-statd-notify.service	remote-fs-pre.target	getty.target	getty@tty1.service	vdo.service	plymouth-quit.service	mcelog.service	systemd-ask-password-wall.path	ksm.service	tuned.service	rpcbind.service	rsyslog.service	ModemManager.service	chronyd.service	systemd-logind.service	systemd-update-utmp-runlevel.service	crond.service	NetworkManager.service	libstoragemgmt.service	vmtoolsd.service	sshd.service	ksmtuned.service	firewalld.service	irqbalance.service	cups.service	systemd-user-sessions.service	rhsmcertd.service	avahi-daemon.service	dbus.service	kdump.service	libvirtd.service	cups.path	remote-fs.target	iscsi.service	var-lib-machines.mount	atd.service

inet_interfaces in /etc/postfix/main.cf should be set correctly oval:ssg-test_postfix_network_listening_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_postfix_network_listening_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/postfix/main.cf	^[\s]inet_interfaces[\s]=[\s](.)[\s]*$	1

Uninstall Sendmail Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sendmail_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_sendmail_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81039-0 References: BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, RHEL-08-040002, SV-230489r627750_rule
Description	Sendmail is not the default mail transfer agent and is not installed by default. The `sendmail` package can be removed with the following command: $ sudo yum erase sendmail
Rationale	The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

OVAL test results details

package sendmail is removed oval:ssg-test_package_sendmail_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type rpminfo_object

Name
sendmail

Disable SSH Root Login

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_root_login:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80901-2 References: BP28(R19), NT007(R21), 5.2.10, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_UAU.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, RHEL-08-010550, SV-230296r627750_rule, SRG-OS-000480-VMM-002000
Description	The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in `/etc/ssh/sshd_config`: PermitRootLogin no
Rationale	Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_root_login:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	PermitRootLogin no

Set SSH Idle Timeout Interval

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_set_idle_timeout:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80906-1 References: BP28(R29), 5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, RHEL-08-010200, SV-230244r627750_rule, SRG-OS-000480-VMM-002000
Description	SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in `/etc/ssh/sshd_config` as follows: ClientAliveInterval 600 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in `/etc/ssh/sshd_config`. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Rationale	Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Warnings	warning SSH disconnecting idle clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration. warning Following conditions may prevent the SSH session to time out: Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens. Any `scp` or `sftp` activity by the same user to the host resets the timeout.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

timeout is configured oval:ssg-test_sshd_idle_timeout:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	ClientAliveInterval 600

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_clientalivecountmax:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	ClientAliveCountMax 0

Set SSH Client Alive Count Max

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_set_keepalive:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80907-9 References: BP28(R29), 5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000
Description	The SSH server sends at most `ClientAliveCountMax` messages during a SSH session and waits for a response from the SSH client. The option `ClientAliveInterval` configures timeout after each `ClientAliveCountMax` message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. For SSH earlier than v8.2, a `ClientAliveCountMax` value of `0` causes an idle timeout precisely when the `ClientAliveInterval` is set. Starting with v8.2, a value of `0` disables the timeout functionality completely. If the option is set to a number greater than `0`, then the idle session will be disconnected after `ClientAliveInterval * ClientAliveCountMax` seconds.
Rationale	This ensures a user login will be terminated as soon as the `ClientAliveInterval` is reached.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	9.el8	8.0p1	0:8.0p1-9.el8	199e2f91fd431d51	openssh-server-0:8.0p1-9.el8.x86_64

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_clientalivecountmax:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	ClientAliveCountMax 0

Verify Permissions on SSH Server Private *_key Key Files

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_private_key:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82424-3 References: BP28(R36), 5.2.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010490, SV-230287r627750_rule
Description	To properly set the permissions of `/etc/ssh/_key`, run the command: $ sudo chmod 0640 /etc/ssh/_key
Rationale	If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

OVAL test results details

Testing mode of /etc/ssh/ oval:ssg-test_file_permissions_sshd_private_key:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_sshd_private_key:obj:1 of type file_object

Path	Filename	Filter
/etc/ssh/	^.*_key$	oval:ssg-state_file_permissions_sshd_private_key_mode_not_0640:ste:1

The Chrony package is installed

Rule ID	xccdf_org.ssgproject.content_rule_package_chrony_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_chrony_installed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82874-9 References: BP28(R43), 2.2.1.1, 0988, 1405, FMT_SMF_EXT.1, SRG-OS-000355-GPOS-00143
Description	System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The `chrony` package can be installed with the following command: $ sudo yum install chrony
Rationale	Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.

OVAL test results details

package chrony is installed oval:ssg-test_package_chrony_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
chrony	x86_64	(none)	2.el8	3.5	0:3.5-2.el8	199e2f91fd431d51	chrony-0:3.5-2.el8.x86_64

A remote time server for Chrony is configured

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-chronyd_specify_remote_server:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82873-1 References: BP28(R43), 2.2.1.2, 0988, 1405
Description	`Chrony` is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on `chrony` can be found at http://chrony.tuxfamily.org/. `Chrony` can be configured to be a client and/or a server. Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server <remote-server> Multiple servers may be configured.
Rationale	If `chrony` is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

OVAL test results details

Ensure at least one NTP server is set oval:ssg-test_chronyd_remote_server:tst:1 true

Following items have been found on the system:

Path	Content
/etc/chrony.conf	pool 2.rhel.pool.ntp.org iburst

Uninstall rsh-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_rsh-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsh-server_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82184-3 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule
Description	The `rsh-server` package can be removed with the following command: $ sudo yum erase rsh-server
Rationale	The `rsh-server` service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The `rsh-server` package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

OVAL test results details

package rsh-server is removed oval:ssg-test_package_rsh-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type rpminfo_object

Name
rsh-server

Uninstall rsh Package

Rule ID	xccdf_org.ssgproject.content_rule_package_rsh_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsh_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82183-5 References: BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
Description	The `rsh` package contains the client commands for the rsh services
Rationale	These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh` package removes the clients for `rsh`,`rcp`, and `rlogin`.

OVAL test results details

package rsh is removed oval:ssg-test_package_rsh_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_rsh_removed:obj:1 of type rpminfo_object

Name
rsh

Remove NIS Client

Rule ID	xccdf_org.ssgproject.content_rule_package_ypbind_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_ypbind_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82181-9 References: BP28(R1), 2.3.1, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
Description	The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (`ypbind`) was used to bind a system to an NIS server and receive the distributed configuration files.
Rationale	The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

OVAL test results details

package ypbind is removed oval:ssg-test_package_ypbind_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_ypbind_removed:obj:1 of type rpminfo_object

Name
ypbind

Uninstall ypserv Package

Rule ID	xccdf_org.ssgproject.content_rule_package_ypserv_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_ypserv_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82432-6 References: BP28(R1), 2.2.17, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049
Description	The `ypserv` package can be removed with the following command: $ sudo yum erase ypserv
Rationale	The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the `ypserv` package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

OVAL test results details

package ypserv is removed oval:ssg-test_package_ypserv_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_ypserv_removed:obj:1 of type rpminfo_object

Name
ypserv

Uninstall telnet-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_telnet-server_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82182-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, SV-230487r627750_rule
Description	The `telnet-server` package can be removed with the following command: $ sudo yum erase telnet-server
Rationale	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the `telnet-server` package decreases the risk of the telnet service's accidental (or intentional) activation.

OVAL test results details

package telnet-server is removed oval:ssg-test_package_telnet-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object

Name
telnet-server

Remove telnet Clients

Rule ID	xccdf_org.ssgproject.content_rule_package_telnet_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_telnet_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80849-3 References: BP28(R1), 2.3.2, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
Description	The telnet client allows users to start connections to other systems via the telnet protocol.
Rationale	The `telnet` protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The `ssh` package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.

OVAL test results details

package telnet is removed oval:ssg-test_package_telnet_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type rpminfo_object

Name
telnet

Uninstall xinetd Package

Rule ID	xccdf_org.ssgproject.content_rule_package_xinetd_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_xinetd_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80850-1 References: BP28(R1), 2.1.1, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
Description	The `xinetd` package can be removed with the following command: $ sudo yum erase xinetd
Rationale	Removing the `xinetd` package decreases the risk of the xinetd service's accidental (or intentional) activation.

OVAL test results details

package xinetd is removed oval:ssg-test_package_xinetd_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_xinetd_removed:obj:1 of type rpminfo_object

Name
xinetd

Uninstall talk-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_talk-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_talk-server_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82180-1 References: BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
Description	The `talk-server` package can be removed with the following command: $ sudo yum erase talk-server
Rationale	The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the `talk-server` package decreases the risk of the accidental (or intentional) activation of talk services.

OVAL test results details

package talk-server is removed oval:ssg-test_package_talk-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_talk-server_removed:obj:1 of type rpminfo_object

Name
talk-server

Uninstall talk Package

Rule ID	xccdf_org.ssgproject.content_rule_package_talk_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_talk_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80848-5 References: BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
Description	The `talk` package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The `talk` package can be removed with the following command: $ sudo yum erase talk
Rationale	The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the `talk` package decreases the risk of the accidental (or intentional) activation of talk client program.

OVAL test results details

package talk is removed oval:ssg-test_package_talk_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_talk_removed:obj:1 of type rpminfo_object

Name
talk

Uninstall tftp-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_tftp-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_tftp-server_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82436-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, SV-230533r627750_rule
Description	The `tftp-server` package can be removed with the following command: $ sudo yum erase tftp-server
Rationale	Removing the `tftp-server` package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.

OVAL test results details

package tftp-server is removed oval:ssg-test_package_tftp-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object

Name
tftp-server

Remove tftp Daemon

Rule ID	xccdf_org.ssgproject.content_rule_package_tftp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_tftp_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83590-0 References: BP28(R1)
Description	Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package `tftp` is a client program that allows for connections to a `tftp` server.
Rationale	It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.

OVAL test results details

package tftp is removed oval:ssg-test_package_tftp_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_tftp_removed:obj:1 of type rpminfo_object

Name
tftp

Uninstall DHCP Server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_dhcp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_dhcp_removed:def:1
Time	2021-06-18T12:05:36+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83385-5 References: BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The `dhcp` package can be removed with the following command: $ sudo yum erase dhcp
Rationale	Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.

OVAL test results details

package dhcp-server is removed oval:ssg-test_package_dhcp-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dhcp-server_removed:obj:1 of type rpminfo_object

Name
dhcp-server

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.