OL 9 must be configured so that the cryptographic hashes of system files match vendor values.

STIG ID: OL09-00-000243  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271480

Vulnerability Discussion

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Check

Verify that OL 9 is configured so that the cryptographic hashes of system files match vendor values.

List files on the system that have file hashes different from what is expected by the RPM database with the following command:

$ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"'

If there is output, this is a finding.

Fix

Configure OL 9 so that the cryptographic hashes of system files match vendor values.

Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled:

$ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"'
S.5....T. /usr/bin/znew

$ sudo dnf provides /usr/bin/znew
[...]
gzip-1.10-8.el9.x86_64 : The GNU data compression program
[...]

$ sudo dnf -y reinstall gzip
[...]

$ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"'
[no output]
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.