Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file:

CtrlAltDelBurstAction=none

Reload the daemon for this change to take effect.

$ sudo systemctl daemon-reload

Check

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

Fix

Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.

RHEL 9 must mount /boot with the nodev option.

RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

RHEL 9 system commands must have mode 755 or less permissive.

RHEL 9 /var/log directory must have mode 0755 or less permissive.

Vulnerability Discussion

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Check

Verify that the "/var/log" directory has a mode of "0755" or less permissive with the following command:

$ ls -ld /var/log

drwxr-xr-x. 16 root root 4096 July 11 11:34 /var/log

If "/var/log" does not have a mode of "0755" or less permissive, this is a finding.

Fix

Configure the "/var/log" directory to a mode of "0755" by running the following command:

$ sudo chmod 0755 /var/log

RHEL 9 library files must be group-owned by root or a system account.

Vulnerability Discussion

Check

Verify the system-wide shared library files are group-owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;

If any system-wide shared library file is returned and is not group-owned by a required system account, this is a finding.

Fix

Check

Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.

Check which services are currently active with the following command:

$ sudo firewall-cmd --list-all-zones

custom (active)
target: DROP
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client dns http https ldaps rpc-bind ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.

Fix

Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.

Then run the following command to load the newly created rule(s):

$ sudo firewall-cmd --reload

RHEL 9 network interfaces must not be in promiscuous mode.

Vulnerability Discussion

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.

Check

Verify network interfaces are not in promiscuous mode with the following command:

$ ip link | grep -i promisc

If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

Fix

Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.

Set the promiscuous mode of an interface to off with the following command:

$ sudo ip link set dev multicast off promisc off

RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

Vulnerability Discussion

Check

Verify RHEL 9 logs IPv4 martian packets by default.

Check the value of the accept source route variable with the following command:

$ sudo sysctl net.ipv4.conf.default.log_martians

net.ipv4.conf.default.log_martians = 1

If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.log_martians | tail -1

net.ipv4.conf.default.log_martians = 1

If "net.ipv4.conf.default.log_martians" is not set to "1" or is missing, this is a finding.

Fix

Configure RHEL 9 to log martian packets on IPv4 interfaces by default.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.default.log_martians=1

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

RHEL 9 must use reverse path filtering on all IPv4 interfaces.

Vulnerability Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Check

Verify RHEL 9 uses reverse path filtering on all IPv4 interfaces with the following commands:

$ sudo sysctl net.ipv4.conf.all.rp_filter

net.ipv4.conf.all.rp_filter = 1

If the returned line does not have a value of "1", or a line is not returned, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.rp_filter | tail -1

net.ipv4.conf.all.rp_filter = 1

If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding.

Fix

Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.all.rp_filter = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Vulnerability Discussion

Check

Verify RHEL 9 will not accept IPv4 ICMP redirect messages.

Check the value of the default "accept_redirects" variables with the following command:

$ sudo sysctl net.ipv4.conf.default.accept_redirects

net.ipv4.conf.default.accept_redirects = 0

If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.accept_redirects | tail -1

net.ipv4.conf.default.accept_redirects = 0

If "net.ipv4.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding.

Fix

Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.default.accept_redirects = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

RHEL 9 must not forward IPv4 source-routed packets by default.

Vulnerability Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Check

Verify RHEL 9 does not accept IPv4 source-routed packets by default.

Check the value of the accept source route variable with the following command:

$ sudo sysctl net.ipv4.conf.default.accept_source_route

net.ipv4.conf.default.accept_source_route = 0

If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.accept_source_route | tail -1

net.ipv4.conf.default.accept_source_route = 0

If "net.ipv4.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding.

Fix

Configure RHEL 9 to not forward IPv4 source-routed packets by default.

Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:

net.ipv4.conf.default.accept_source_route = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system

All RHEL 9 networked systems must have SSH installed.

Vulnerability Discussion

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190

Check

Verify that RHEL 9 has the openssh-server package installed with the following command:

$ sudo dnf list --installed openssh-server

Example output:

openssh-server.x86_64 8.7p1-8.el9

If the "openssh-server" package is not installed, this is a finding.

Fix

The openssh-server package can be installed with the following command:

$ sudo dnf install openssh-server

Check

Verify the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval'

ClientAliveInterval 600

If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.

Fix

Note: This setting must be applied in conjunction with RHEL-09-255095 to function correctly.

Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes.

Modify or append the following lines in the "/etc/ssh/sshd_config" file:

ClientAliveInterval 600

In order for the changes to take effect, the SSH daemon must be restarted.

$ sudo systemctl restart sshd.service

RHEL 9 SSH server configuration file must be group-owned by root.

Vulnerability Discussion

Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.

Check

Verify the group ownership of the "/etc/ssh/sshd_config" file with the following command:

$ ls -al /etc/ssh/sshd_config

rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config

If the "/etc/ssh/sshd_config" file does not have a group owner of "root", this is a finding.

Fix

Configure the "/etc/ssh/sshd_config" file to be group-owned by root with the following command:

$ sudo chgrp root /etc/ssh/sshd_config

Fix

Configure RHEL 9 to initiate a session lock for graphical user interfaces when a screensaver is activated.

Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:

Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.

$ sudo touch /etc/dconf/db/local.d/00-screensaver

[org/gnome/desktop/screensaver]
lock-delay=uint32 5

The "uint32" must be included along with the integer key values as shown.

Update the system databases:

$ sudo dconf update

RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

Vulnerability Discussion

Check

Verify RHEL 9 prevents a user from overriding settings for graphical user interfaces.

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

$ sudo grep system-db /etc/dconf/profile/user

system-db:local

Check that graphical settings are locked from nonprivileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*

/org/gnome/desktop/screensaver/lock-delay

If the command does not return at least the example result, this is a finding.

Configure RHEL 9 to disable a user's ability to restart the system.

Add or update the [org/gnome/settings-daemon/] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:

[org/gnome/login-screen]
disable-restart-buttons='true'

Then update the dconf system databases:

$ sudo dconf update

RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.

Vulnerability Discussion

Check

Verify RHEL 9 prevents a user from overriding the disable-restart-buttons setting for graphical user interfaces.

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

$ sudo grep system-db /etc/dconf/profile/user

system-db:local

Check that graphical settings are locked from nonprivileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ grep disable-restart-buttons /etc/dconf/db/local.d/locks/*

/org/gnome/login-screen/disable-restart-buttons

If the command does not return at least the example result, this is a finding.

Fix

Configure RHEL 9 to prevent a user from overriding the disable-restart-buttons setting for graphical user interfaces.

Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:

$ sudo touch /etc/dconf/db/local.d/locks/session

Add the following line to prevent nonprivileged users from modifying it:

/org/gnome/login-screen/disable-restart-buttons

Run the following command to update the database:

$ sudo dconf update

RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.

Vulnerability Discussion

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Check

Verify RHEL 9 is configured to ignore the Ctrl-Alt-Del sequence in the GNOME desktop with the following command:

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout

"['']"

If the GNOME desktop is configured to shut down when Ctrl-Alt-Del is pressed, this is a finding.

Fix

Configure RHEL 9 to ignore the Ctrl-Alt-Del sequence in the GNOME desktop.

Add or update the [org/gnome/settings-daemon/plugins/media-keys] section of the /etc/dconf/db/local.d/00-security-settings database file and add or update the following lines:

[org/gnome/settings-daemon/plugins/media-keys]
logout=['']

Run the following command to update the database:

$ sudo dconf update

Vulnerability Discussion

Check

Verify RHEL 9 has USBGuard enabled with the following command:

$ systemctl is-active usbguard

active

If usbguard is not active, ask the SA to indicate how unauthorized peripherals are being blocked.

If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

Fix

To enable the USBGuard service run the following command:

$ sudo systemctl enable --now usbguard

RHEL 9 must enable Linux audit logging for the USBGuard daemon.

Vulnerability Discussion

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DOD has defined the list of events for which RHEL 9 will provide an audit record generation capability as the following:

1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);

2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;

3) All account creations, modifications, disabling, and terminations; and

4) All kernel module load, unload, and restart actions.

Check

To verify that Linux Audit logging is enabled for the USBGuard daemon with the following command:

$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf

AuditBackend=LinuxAudit

If "AuditBackend" is not set to "LinuxAudit", this is a finding.

Fix

Configure RHEL 9 USBGuard AuditBackend to use the audit system.

Add or edit the following line in /etc/usbguard/usbguard-daemon.conf

AuditBackend=LinuxAudit

RHEL 9 must block unauthorized peripherals before establishing a connection.

Vulnerability Discussion

Check

Verify the USBGuard has a policy configured with the following command:

$ usbguard list-rules

allow id 1d6b:0001 serial

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.

If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

If the system is virtual machine with no virtual or physical USB peripherals attached, this is not a finding.

Fix

Configure the operating system to enable the blocking of unauthorized peripherals with the following command:

Note: This command must be run from a root shell and will create an allow list for any usb devices currently connect to the system.

# usbguard generate-policy --no-hash > /etc/usbguard/rules.conf

Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse.

RHEL 9 Bluetooth must be disabled.

Vulnerability Discussion

This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 9 operating system.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118

Check

Verify that RHEL 9 disables the ability to load the Bluetooth kernel module with the following command:

$ sudo grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d/*

blacklist bluetooth

If the command does not return any output, or the line is commented out, and use of Bluetooth is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure RHEL 9 to disable the Bluetooth adapter when not in use.

Create or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line:

install bluetooth /bin/false
blacklist bluetooth

Reboot the system for the settings to take effect.

Check

Verify RHEL 9 shell initialization file is configured to start each shell with the tmux terminal multiplexer.

Determine the location of the tmux script with the following command:

$ sudo grep tmux /etc/bashrc /etc/profile.d/*

/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac

Review the tmux script by using the following example:

$ cat /etc/profile.d/tmux.sh

If [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in (sshd|login) tmux ;; esac
fi

If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.

Determine if tmux is currently running with the following command:

$ sudo ps all | grep tmux | grep -v grep

If the command does not produce output, this is a finding.

Fix

Configure RHEL 9 to initialize the tmux terminal multiplexer as each shell is called by adding the following to file "/etc/profile.d/tmux.sh":

if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) tmux ;; esac
fi

RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.

Vulnerability Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 9 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.

Check

Verify RHEL 9 enables the user to initiate a session lock with the following command:

$ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf

set -g lock-command vlock
bind X lock-session

If the "lock-command" is not set and "lock-session" is not bound to a specific keyboard key in the global settings, this is a finding.

Fix

Configure RHEL 9 to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter "X" to manually initiate a session lock after the prefix key "Ctrl + b" has been sent. The complete key sequence is thus "Ctrl + b" then "Shift + x" to lock tmux.

Create a global configuration file "/etc/tmux.conf" and add the following lines:

set -g lock-command vlock
bind X lock-session

Reload tmux configuration to take effect. This can be performed in tmux while it is running:

$ tmux source-file /etc/tmux.conf

RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Vulnerability Discussion

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.

Check

Verify RHEL 9 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.

# grep -i umask /etc/login.defs

UMASK 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

Fix

Configure RHEL 9 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "077":

UMASK 077

Verify that RHEL 9 enforces a minimum 15-character password length with the following command:

$ grep minlen /etc/security/pwquality.conf

minlen = 15

If the command does not return a "minlen" value of "15" or greater, does not return a line, or the line is commented out, this is a finding.

Fix

Configure RHEL 9 to enforce a minimum 15-character password length.

Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):

minlen = 15

RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.

Vulnerability Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

RHEL 9 installation media provides "rsyslogd", a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (a secure communications library implementing the SSL, TLS and DTLS protocols) creates a method to securely encrypt and offload auditing.

Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.

Examples of each configuration:
UDP *.* @remotesystemname
TCP *.* @@remotesystemname
RELP *.* :omrelp:remotesystemname:2514
Note that a port number was given as there is no standard port for RELP.

Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133

Check

Verify that RHEL 9 audit system offloads audit records onto a different system or media from the system being audited via rsyslog using TCP with the following command:

$ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf

/etc/rsyslog.conf:*.* @@[remoteloggingserver]:[port]

If a remote server is not configured, or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are offloaded to a different system or media.

If there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.

Fix

Configure RHEL 9 to offload audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf"" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server.

*.* @@[remoteloggingserver]:[port]"

Vulnerability Discussion

It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.

Check

Verify RHEL 9 takes the appropriate action when an audit processing failure occurs.

Check that RHEL 9 takes the appropriate action when an audit processing failure occurs with the following command:

$ sudo grep disk_error_action /etc/audit/auditd.conf

disk_error_action = HALT

If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.

Fix

Configure RHEL 9 to shut down by default upon audit failure (unless availability is an overriding concern).

Add or update the following line (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file:

disk_error_action = HALT

If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".

Vulnerability Discussion

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Check

Verify RHEL 9 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = email

If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the SA to indicate how the system is providing real-time alerts to the SA and ISSO.

If there is no evidence that real-time alerts are configured on the system, this is a finding.

Fix

RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.

Vulnerability Discussion

If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.

Check

Verify RHEL 9 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w admin_space_left /etc/audit/auditd.conf

admin_space_left = 5%

If the value of the "admin_space_left" keyword is not set to 5 percent of the storage volume allocated to audit logs, or if the line is commented out, ask the system administrator (SA) to indicate how the system is taking action if the allocated storage is about to reach capacity. If the "space_left" value is not configured to the correct value, this is a finding.

Fix

Configure RHEL 9 to initiate an action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.

admin_space_left = 5%

RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Vulnerability Discussion

If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.

Check

Verify that RHEL 9 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep admin_space_left_action /etc/audit/auditd.conf

admin_space_left_action = single

If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO).

If there is no evidence that real-time alerts are configured on the system, this is a finding.

Fix

Configure "auditd" service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:

admin_space_left_action = single

The audit daemon must be restarted for changes to take effect.

Check

Verify that RHEL 9 audit system is configured to resolve audit information before writing to disk, with the following command:

$ sudo grep log_format /etc/audit/auditd.conf

log_format = ENRICHED

If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.

Fix

Edit the /etc/audit/auditd.conf file and add or update the "log_format" option:

log_format = ENRICHED

The audit daemon must be restarted for changes to take effect.

RHEL 9 must write audit records to disk.

Vulnerability Discussion

Audit data should be synchronously written to disk to ensure log integrity. This setting assures that all audit event data is written disk.

Check

Verify that the audit system is configured to write logs to the disk with the following command:

$ sudo grep write_logs /etc/audit/auditd.conf

write_logs = yes

If "write_logs" does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.

Fix

Configure the audit system to write log files to the disk.

Edit the /etc/audit/auditd.conf file and add or update the "write_logs" option to "yes":

write_logs = yes

The audit daemon must be restarted for changes to take effect.

RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

RHEL 9 must audit all uses of the su command.

RHEL 9 must audit all uses of the unix_update command.

Check

Verify that the RHEL 9 cryptography policy has been configured correctly with the following commands:

$ sudo update-crypto-policies --show

FIPS

If the cryptography is not set to "FIPS" and is not applied, this is a finding.

$ sudo update-crypto-policies --check

The configured policy matches the generated policy

If the command does not return "The configured policy matches the generated policy", this is a finding.

Fix

Configure the operating system to implement FIPS mode with the following command

$ sudo fips-mode-setup --enable

Reboot the system for the changes to take effect.

RHEL 9 must implement DOD-approved encryption in the bind package.

Vulnerability Discussion

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

RHEL 9 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.

Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190

Check

Verify that BIND uses the system crypto policy with the following command:

Note: If the "bind" package is not installed, this requirement is Not Applicable.

$ sudo grep include /etc/named.conf

include "/etc/crypto-policies/back-ends/bind.config";'

If BIND is installed and the BIND config file doesn't contain the include "/etc/crypto-policies/back-ends/bind.config" directive, or the line is commented out, this is a finding.

Fix

Configure BIND to use the system crypto policy.

Add the following line to the "options" section in "/etc/named.conf":

include "/etc/crypto-policies/back-ends/bind.config";