commit 527027f3265cf06e26d36df260eabe63b8a24166 Author: Gabriel Becker Date: Thu Feb 17 12:32:24 2022 +0100 Custom patch for RHEL7.9 PR 8140. diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index e2c4f9a..f020bc0 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V3R5 + version: V3R6 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V3R5. + DISA STIG for Red Hat Enterprise Linux V3R6. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile index 2c5821f..932d034 100644 --- a/products/rhel7/profiles/stig_gui.profile +++ b/products/rhel7/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V3R5 + version: V3R6 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux V3R5. + DISA STIG with GUI for Red Hat Enterprise Linux V3R6. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml similarity index 81% rename from shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml rename to shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml index a674d50..62c5f36 100644 --- a/shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 27 Oct 20213.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. +acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Jan 20223.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: @@ -543,20 +543,20 @@ Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" # grep maxrepeat /etc/security/pwquality.conf maxrepeat = 3 -If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86541V-71917CCI-000195Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): -maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. +maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: -# grep maxclassrepeat /etc/security/pwquality.conf +$ sudo grep maxclassrepeat /etc/security/pwquality.conf maxclassrepeat = 4 -If the value of "maxclassrepeat" is set to more than "4", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/system-auth": pam_unix.so sha512 shadow try_first_pass use_authtok @@ -661,7 +661,7 @@ Check for the value of the "minlen" option in "/etc/security/pwquality.conf" wit # grep minlen /etc/security/pwquality.conf minlen = 15 -If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. +If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. @@ -682,20 +682,21 @@ PermitEmptyPasswords no If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. -If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. +If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. -Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. +Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password expires. Add the following line to "/etc/default/useradd" (or modify the line to have the required value): -INACTIVE=0If passwords are not being used for authentication, this is Not Applicable. +INACTIVE=35 +DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.If passwords are not being used for authentication, this is Not Applicable. Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: # grep -i inactive /etc/default/useradd -INACTIVE=0 +INACTIVE=35 -If the value is not set to "0", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. +If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. @@ -1615,7 +1616,7 @@ Note: The example will be for a system that is configured to create users' home # grep <file> /home/*/.* -If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72039SV-86663CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: +If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: # rpm -qf <filename> @@ -2269,526 +2270,120 @@ The audit daemon must be restarted for the changes to take effect.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw chown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030380The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86723V-72099CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw fchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030390The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72101SV-86725CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw lchown /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030400The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72103SV-86727CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw fchownat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -# grep -iw chmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030420The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86731V-72107CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -# grep -iw fchmod /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030430The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86733V-72109CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following command: - -# grep -iw fchmodat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw setxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030450The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86737V-72113CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw fsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030460The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72115SV-86739CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw lsetxattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030470The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72117SV-86741CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw removexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030480The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86743V-72119CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw fremovexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030490The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72121SV-86745CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw lremovexattr /etc/audit/audit.rules - --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod - -If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030500The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72123SV-86747CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules: - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw creat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw open /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030520The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72127SV-86751CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw openat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030530The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86753V-72129CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw open_by_handle_at /etc/audit/audit.rules - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030540The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86755V-72131CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw truncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding. - -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030550The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72133SV-86757CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw ftruncate /etc/audit/audit.rules - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": -If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding. +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" syscalls. + +Check the file system rules in "/etc/audit/audit.rules" with the following commands: + +# grep chown /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. + +Add or update the following rules in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. + +Check the file system rules in "/etc/audit/audit.rules" with the following command: + +# grep chmod /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod + +If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. + +Add or update the following rules in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. + +Check the file system rules in "/etc/audit/audit.rules" with the following commands: + +# grep xattr /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod + +If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. + +Add or update the following rules in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. + +Check the file system rules in "/etc/audit/audit.rules" with the following commands: + +# grep 'open\|truncate\|creat' /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + +If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. + +If the output does not produce rules containing "-F exit=-EPERM", this is a finding. + If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3273,51 +2868,31 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: -a always,exit -F arch=b64 -S create_module -k module-change -If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S init_module -k module-change - --a always,exit -F arch=b64 -S init_module -k module-change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep -iw init_module /etc/audit/audit.rules - --a always,exit -F arch=b32 -S init_module -k module-change - --a always,exit -F arch=b64 -S init_module -k module-change - -If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030821The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-79001SV-93707CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. - -Add or update the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S finit_module -k module-change - --a always,exit -F arch=b64 -S finit_module -k module-change - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. - -Check the auditing rules in "/etc/audit/audit.rules" with the following command: - -# grep -iw finit_module /etc/audit/audit.rules - --a always,exit -F arch=b32 -S finit_module -k module-change - --a always,exit -F arch=b64 -S finit_module -k module-change - -If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. + +Add or update the following rules in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b32 -S init_module,finit_module -k modulechange + +-a always,exit -F arch=b64 -S init_module,finit_module -k modulechange + +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. + +Check the auditing rules in "/etc/audit/audit.rules" with the following command: + +# grep init_module /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S init_module,finit_module -k modulechange + +-a always,exit -F arch=b64 -S init_module,finit_module -k modulechange + +If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3442,117 +3017,31 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: -w /etc/security/opasswd -p wa -k identity -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030880The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86823V-72199CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw rename /etc/audit/audit.rules - --a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030890The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86825V-72201CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw renameat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030900The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72203SV-86827CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw rmdir /etc/audit/audit.rules - --a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw unlink /etc/audit/audit.rules - --a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030920The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. - -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - -Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72207SV-86831CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. - -Add the following rules in "/etc/audit/rules.d/audit.rules": - --a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete - -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. - -Check the file system rules in "/etc/audit/audit.rules" with the following commands: - -# grep -iw unlinkat /etc/audit/audit.rules - --a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete - --a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete - -If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. + +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. + +Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. + +Add the following rules in "/etc/audit/rules.d/audit.rules": + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete + +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete + +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. + +Check the file system rules in "/etc/audit/audit.rules" with the following commands: + +# grep 'unlink\|rename\|rmdir' /etc/audit/audit.rules + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete + +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete + +If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: *.* @@<log aggregation system name>Verify "rsyslog" is configured to send all messages to a log aggregation server. Check the configuration of "rsyslog" with the following command: @@ -4119,15 +3608,15 @@ Check that the SSH daemon performs compression after a user successfully authent # grep -i compression /etc/ssh/sshd_config Compression delayed -If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). -Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows: +Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "16" as follows: -server 0.rhel.pool.ntp.org iburst maxpoll 10 +server 0.rhel.pool.ntp.org iburst maxpoll 16 If NTP was running and "maxpoll" was updated, the NTP service must be restarted: @@ -4143,7 +3632,7 @@ If "chronyd" was running and "maxpoll" was updated, the service must be restarte If "chronyd" was not running, it must be started: -# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: +# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: # ps -ef | grep ntp @@ -4157,9 +3646,9 @@ If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" op # grep maxpoll /etc/ntp.conf -server 0.rhel.pool.ntp.org iburst maxpoll 10 +server 0.rhel.pool.ntp.org iburst maxpoll 16 -If the option is set to "17" or is not set, this is a finding. +If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command. @@ -4174,7 +3663,7 @@ If the "chronyd" process is found, then check the "chrony.conf" file for the "ma # grep maxpoll /etc/chrony.conf -server 0.rhel.pool.ntp.org iburst maxpoll 10 +server 0.rhel.pool.ntp.org iburst maxpoll 16 If the option is not set or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040520The Red Hat Enterprise Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. @@ -4919,11 +4408,11 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw -Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. +Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' @@ -4931,10 +4420,11 @@ $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | g /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw -If no results are returned, this is a finding +If no results are returned, this is a finding. +If results are returned from more than one file location, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -4944,11 +4434,13 @@ $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] -Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. +Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. $ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* /etc/sudoers:Defaults timestamp_timeout=0 +If results are returned from more than one file location, this is a finding. + If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. @@ -5029,19 +4521,80 @@ Check the SELinux ssh_sysadm_login boolean with the following command: $ sudo getsebool ssh_sysadm_login ssh_sysadm_login --> off -If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d directory with the following command: $ sudo visudo -f /etc/sudoers.d/<customfile> Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: -%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLNote: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. +%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLNote: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: This command must be ran as root: -# grep sysadm_r /etc/sudoers.d/* +# grep sysadm_r /etc/sudoers /etc/sudoers.d/* %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL -If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding. \ No newline at end of file +If results are returned from more than one file location, this is a finding. + +If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010291The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: + +Perform a password reset: +$ sudo passwd [username] +Lock an account: +$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command: + +$ sudo awk -F: '!$2 {print $1}' /etc/shadow + +If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + +It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. + +Edit the /etc/sudoers file with the following command: + +$ sudo visudo + +Add or modify the following line: +#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: + +$ sudo grep include /etc/sudoers + +#includedir /etc/sudoers.d + +If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. + +Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: + +$ sudo grep include /etc/sudoers.d/* + +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the operating system to require users to supply a password for privilege escalation. + +Check the configuration of the "/etc/ pam.d/sudo" file with the following command: +$ sudo vi /etc/pam.d/sudo + +Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation. + +Check the configuration of the "/etc/pam.d/sudo" file with the following command: + +$ sudo grep pam_succeed_if /etc/pam.d/sudo + +If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install the AIDE package by running the following command: + +$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. + +Check that the AIDE package is installed with the following command: + +$ sudo rpm -q aide + +aide-0.16-14.el8.x86_64 + +If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. + +If there is no application installed to perform integrity checks, this is a finding. \ No newline at end of file