From b7f082455f3d1d2081a098a507d2ba003f972074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 23 Jun 2026 09:31:34 +0200 Subject: [PATCH 1/7] Fix traceback when SRG doesn't exist Addressing: ``` jcerny@fedora:~/work/git/scap-security-guide (rhel10_stig_manual)$ utils/build_stig_control.py -o products/rhel10/controls/stig_rhel10.yml -p rhel10 -m shared/references/disa-stig-rhel10-v1r1-xccdf-manual.xml -g controls/srg_gpos.yml Traceback (most recent call last): File "/home/jcerny/work/git/scap-security-guide/utils/build_stig_control.py", line 232, in main() ~~~~^^ File "/home/jcerny/work/git/scap-security-guide/utils/build_stig_control.py", line 204, in main controls = get_controls(known_rules, ns, root, srg_controls) File "/home/jcerny/work/git/scap-security-guide/utils/build_stig_control.py", line 158, in get_controls control['rules'] = get_rules_for_control(stig_id, known_rules, srgs, srg_controls) ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/jcerny/work/git/scap-security-guide/utils/build_stig_control.py", line 139, in get_rules_for_control rule_set.update(srg_controls.get_control(srg).rules) ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^ File "/home/jcerny/work/git/scap-security-guide/ssg/controls.py", line 688, in get_control raise ValueError(msg) from None ValueError: SRG-OS-000142-GPOS-00072 not found in policy srg_gpos ``` --- utils/build_stig_control.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/utils/build_stig_control.py b/utils/build_stig_control.py index 7f4de481038f..a6773247f7ec 100755 --- a/utils/build_stig_control.py +++ b/utils/build_stig_control.py @@ -136,7 +136,11 @@ def get_rules_for_control(stig_id, known_rules, srgs, srg_controls): # Let's also add any rule selected in the SRG control file if srg_controls: for srg in srgs: - rule_set.update(srg_controls.get_control(srg).rules) + try: + rules = srg_controls.get_control(srg).rules + rule_set.update(rules) + except ValueError as e: + sys.stderr.write("Cannot add rules for %s: %s\n" % (stig_id, str(e))) return sorted(list(rule_set)) From 6acd795965f9905831d4bf92d8f39027541c0bd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 23 Jun 2026 11:31:21 +0200 Subject: [PATCH 2/7] Create RHEL 10 STIG control file Generated initial version of RHEL 10 STIG control file using `build_stig_control.py` based on data from DISA manual XCCDF (`shared/references/disa-stig-rhel10-v1r1-xccdf-manual.xml`) and SRG GPOS control files (`controls/srg_gpos.yml`). --- products/rhel10/controls/stig_rhel10.yml | 9770 ++++++++++++++++++++++ products/rhel10/profiles/stig.profile | 2 +- 2 files changed, 9771 insertions(+), 1 deletion(-) create mode 100644 products/rhel10/controls/stig_rhel10.yml diff --git a/products/rhel10/controls/stig_rhel10.yml b/products/rhel10/controls/stig_rhel10.yml new file mode 100644 index 000000000000..8169b4428b76 --- /dev/null +++ b/products/rhel10/controls/stig_rhel10.yml @@ -0,0 +1,9770 @@ +policy: Red Hat Enterprise Linux 10 Security Technical Implementation Guide +title: Red Hat Enterprise Linux 10 Security Technical Implementation Guide +id: stig_rhel10 +version: V1R1 +source: https://www.cyber.mil/stigs/downloads/ +reference_type: stigid +product: rhel10 +levels: +- id: high +- id: medium +- id: low +controls: +- id: RHEL-10-700970 + levels: + - medium + title: RHEL 10 must disable the debug-shell systemd service. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-001020 + levels: + - medium + title: RHEL 10 must ensure cryptographic verification of vendor software packages. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-001030 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages + originating from external software repositories before installation. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-001040 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed + software packages before installation. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-001050 + levels: + - high + title: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled + for all software repositories. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-000510 + levels: + - high + title: RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure + or modification of all information on local disk partitions that requires at-rest + protection. + rules: + - encrypt_partitions + status: automated +- id: RHEL-10-000520 + levels: + - low + title: RHEL 10 must use a separate file system for the system audit data path. + rules: + - auditd_audispd_configure_sufficiently_large_partition + - grub2_audit_backlog_limit_argument + - partition_for_var_log_audit + - var_audit_backlog_limit=8192 + status: automated +- id: RHEL-10-000530 + levels: + - medium + title: RHEL 10 must use a separate file system for user home directories (such as + "/home" or an equivalent). + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-000540 + levels: + - medium + title: RHEL 10 must use a separate file system for "/tmp". + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-000550 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var". + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-000560 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/log". + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-000570 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/tmp". + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-200000 + levels: + - medium + title: RHEL 10 must remove all software components after updated versions have been + installed. + rules: + - clean_components_post_updating + status: automated +- id: RHEL-10-200010 + levels: + - medium + title: RHEL 10 must not have the "nfs-utils" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200020 + levels: + - high + title: RHEL 10 must not have the "telnet-server" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200030 + levels: + - medium + title: RHEL 10 must not have the "gssproxy" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200040 + levels: + - medium + title: RHEL 10 must not have the tuned package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200050 + levels: + - medium + title: RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package + installed unless it is required by the mission, and if required, the TFTP daemon + must be configured to operate in secure mode. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200060 + levels: + - medium + title: RHEL 10 must not have the unbound package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200070 + levels: + - high + title: RHEL 10 must not have the "tftp" package installed. + rules: + - package_telnet-server_removed + - package_tftp_removed + - package_vsftpd_removed + status: automated +- id: RHEL-10-200080 + levels: + - medium + title: RHEL 10 must not have the "gdm" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200090 + levels: + - high + title: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - package_telnet-server_removed + - package_tftp_removed + - package_vsftpd_removed + status: automated +- id: RHEL-10-200500 + levels: + - medium + title: RHEL 10 must have the "subscription-manager" package installed. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-200510 + levels: + - medium + title: RHEL 10 must have the "nss-tools" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200520 + levels: + - medium + title: RHEL 10 must have the "s-nail" package installed. + rules: + - aide_build_database + - aide_periodic_cron_checking + - aide_use_fips_hashes + - package_aide_installed + - package_s-nail_installed + status: automated +- id: RHEL-10-200530 + levels: + - medium + title: RHEL 10 must have the "firewalld" package installed. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-200531 + levels: + - medium + title: RHEL 10 must have the "firewalld" service set to active. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-200532 + levels: + - medium + title: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections + to other systems. + rules: + - configure_firewalld_ports + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-200540 + levels: + - medium + title: RHEL 10 must have the "chrony" package installed. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - package_chrony_installed + - service_chronyd_enabled + - var_multiple_time_servers=stig + status: automated +- id: RHEL-10-200541 + levels: + - medium + title: RHEL 10 must enable the chronyd service. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - package_chrony_installed + - service_chronyd_enabled + - var_multiple_time_servers=stig + status: automated +- id: RHEL-10-200542 + levels: + - medium + title: RHEL 10 must disable the chrony daemon from acting as a server. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-200543 + levels: + - medium + title: RHEL 10 must disable network management of the chrony daemon. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-200560 + levels: + - medium + title: RHEL 10 must have the USBGuard package installed. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-200561 + levels: + - medium + title: RHEL 10 must have the USBGuard package enabled. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-200562 + levels: + - medium + title: RHEL 10 must block unauthorized peripherals before establishing a connection. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-200563 + levels: + - medium + title: RHEL 10 must enable audit logging for the USBGuard daemon. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_lastlog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-200570 + levels: + - medium + title: RHEL 10 must have the "policycoreutils" package installed. + rules: + - grub2_init_on_free + - grub2_page_poison_argument + - grub2_vsyscall_argument + - package_policycoreutils_installed + - selinux_state + status: automated +- id: RHEL-10-200580 + levels: + - medium + title: RHEL 10 must have the "policycoreutils-python-utils" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200590 + levels: + - medium + title: RHEL 10 must have the "sudo" package installed. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-200600 + levels: + - medium + title: RHEL 10 must have the "fapolicy" module installed. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-200601 + levels: + - medium + title: RHEL 10 must enable the "fapolicy" module. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-200602 + levels: + - medium + title: RHEL 10 must be configured to employ a deny-all, permit-by-exception policy + to allow the execution of authorized software programs. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-200610 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite" package installed. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-200611 + levels: + - medium + title: RHEL 10 must have the "pcscd" service set to active. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-200612 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite-ccid" package installed. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-200620 + levels: + - medium + title: RHEL 10 must have the "opensc" package installed. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-200621 + levels: + - medium + title: RHEL 10 must use the common access card (CAC) smart card driver. + rules: + - account_unique_id + - configure_opensc_card_drivers + - gid_passwd_group_same + - group_unique_id + - sshd_disable_empty_passwords + - sshd_disable_root_login + - sshd_enable_pubkey_auth + - var_smartcard_drivers=cac + status: automated +- id: RHEL-10-200630 + levels: + - medium + title: RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package + installed. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-200631 + levels: + - high + title: RHEL 10 must use cryptographic mechanisms to protect the integrity of audit + tools. + rules: + - aide_check_audit_tools + status: automated +- id: RHEL-10-200632 + levels: + - medium + title: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved + cryptographic hashes for validating file contents and directories. + rules: + - encrypt_partitions + status: automated +- id: RHEL-10-200633 + levels: + - medium + title: RHEL 10 must routinely check the baseline configuration for unauthorized + changes and notify the system administrator when anomalies in the operation of + any security functions are discovered. + rules: + - aide_build_database + - aide_periodic_cron_checking + - aide_scan_notification + - aide_use_fips_hashes + - package_aide_installed + - package_s-nail_installed + status: automated +- id: RHEL-10-200634 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies Access + Control Lists (ACLs). + rules: + - encrypt_partitions + status: automated +- id: RHEL-10-200635 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies extended + attributes. + rules: + - encrypt_partitions + status: automated +- id: RHEL-10-200640 + levels: + - medium + title: RHEL 10 must have the "rsyslog" package installed. + rules: + - auditd_freq + - auditd_name_format + - auditd_overflow_action + - package_audit_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + - service_auditd_enabled + - var_auditd_freq=100 + status: automated +- id: RHEL-10-200641 + levels: + - medium + title: RHEL 10 must have the rsyslog service set to active. + rules: + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-200642 + levels: + - medium + title: RHEL 10 must be configured to forward audit records via Transmission Control + Protocol (TCP) to a different system or media from the system being audited via + rsyslog. + rules: + - auditd_name_format + - auditd_overflow_action + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-200643 + levels: + - medium + title: RHEL 10 must be configured so that the rsyslog daemon does not accept log + messages from other servers unless the server is being used for log aggregation. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-200644 + levels: + - medium + title: RHEL 10 must authenticate the remote logging server for off-loading audit + logs via "rsyslog". + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-200645 + levels: + - medium + title: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different + system or media from the system being audited via rsyslog. + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-200646 + levels: + - medium + title: RHEL 10 must encrypt, via the gtls driver, the transfer of audit records + off-loaded onto a different system or media from the system being audited via + rsyslog. + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-200647 + levels: + - medium + title: RHEL 10 must monitor all remote access methods. + rules: + - rsyslog_remote_access_monitoring + - sshd_set_loglevel_verbose + status: automated +- id: RHEL-10-200648 + levels: + - medium + title: RHEL 10 must use cron logging. + rules: + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-200650 + levels: + - medium + title: RHEL 10 must have the packages required for encrypting off-loaded audit logs + installed. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + status: automated +- id: RHEL-10-200660 + levels: + - medium + title: RHEL 10 must have the "audit" package installed. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_freq + - auditd_local_events + - auditd_log_format + - auditd_name_format + - configure_usbguard_auditbackend + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - package_audit_installed + - package_rsyslog_installed + - service_auditd_enabled + - var_audit_backlog_limit=8192 + - var_auditd_freq=100 + status: automated +- id: RHEL-10-200661 + levels: + - medium + title: RHEL 10 must enable the audit service. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_freq + - auditd_local_events + - auditd_log_format + - auditd_name_format + - configure_usbguard_auditbackend + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - package_audit_installed + - package_rsyslog_installed + - service_auditd_enabled + - var_audit_backlog_limit=8192 + - var_auditd_freq=100 + status: automated +- id: RHEL-10-200662 + levels: + - low + title: RHEL 10 must have the "audispd-plugins" package installed. + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-200680 + levels: + - medium + title: RHEL 10 must have the "libreswan" package installed. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + status: automated +- id: RHEL-10-200690 + levels: + - medium + title: RHEL 10 must notify designated personnel if baseline configurations are changed + in an unauthorized manner. + rules: + - audit_rules_system_shutdown + - auditd_data_retention_action_mail_acct + - package_postfix_installed + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_audit_failure_mode=panic + - var_auditd_action_mail_acct=root + - var_postfix_root_mail_alias=mil_sysadmin + status: automated +- id: RHEL-10-200691 + levels: + - medium + title: RHEL 10 must have mail aliases to notify the information system security + officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing + failure. + rules: + - audit_rules_system_shutdown + - auditd_data_retention_action_mail_acct + - package_postfix_installed + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_audit_failure_mode=panic + - var_auditd_action_mail_acct=root + - var_postfix_root_mail_alias=mil_sysadmin + status: automated +- id: RHEL-10-200692 + levels: + - medium + title: RHEL 10 must be configured to prevent unrestricted mail relaying. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200700 + levels: + - medium + title: RHEL 10 must have the "cronie" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200720 + levels: + - medium + title: RHEL 10 must have a Secure Shell (SSH) server installed for all networked + systems. + rules: + - configure_bind_crypto_policy + - package_openssh-server_installed + - service_sshd_enabled + - ssh_client_rekey_limit + - sysctl_crypto_fips_enabled + - wireless_disable_interfaces + status: automated +- id: RHEL-10-200721 + levels: + - medium + title: RHEL 10 must, for all networked systems, have and implement Secure Shell + (SSH) to protect the confidentiality and integrity of transmitted and received + information. + rules: + - configure_bind_crypto_policy + - package_openssh-server_installed + - service_sshd_enabled + - ssh_client_rekey_limit + - sysctl_crypto_fips_enabled + - wireless_disable_interfaces + status: automated +- id: RHEL-10-200722 + levels: + - medium + title: RHEL 10 must have the "openssh-clients" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-200730 + levels: + - medium + title: RHEL 10 must have the "pkcs11-provider" package installed. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sshd_enable_pubkey_auth + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-200740 + levels: + - medium + title: RHEL 10 must have the "gnutls-utils" package installed. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-300000 + levels: + - high + title: RHEL 10 must have the "crypto-policies" package installed. + rules: + - configure_crypto_policy + - enable_fips_mode + - fips_crypto_subpolicy + - package_crypto-policies_installed + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + - var_system_crypto_policy=fips + status: automated +- id: RHEL-10-300010 + levels: + - high + title: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. + rules: + - configure_crypto_policy + - configure_libreswan_crypto_policy + - enable_fips_mode + - fips_crypto_subpolicy + - package_crypto-policies_installed + - sshd_rekey_limit + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_system_crypto_policy=fips + status: automated +- id: RHEL-10-000500 + levels: + - high + title: RHEL 10 must enable FIPS mode. + rules: + - aide_use_fips_hashes + - configure_bind_crypto_policy + - configure_crypto_policy + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - enable_fips_mode + - file_sshd_50_redhat_exists + - fips_crypto_subpolicy + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - package_crypto-policies_installed + - package_openssh-server_installed + - service_sshd_enabled + - sshd_approved_ciphers=stig_rhel9 + - sshd_approved_macs=stig_rhel9 + - sshd_enable_pam + - sshd_include_crypto_policy + - sshd_rekey_limit + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_system_crypto_policy=fips + status: automated +- id: RHEL-10-300030 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved + encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms + to protect the confidentiality of SSH client connections. + rules: + - configure_bind_crypto_policy + - configure_crypto_policy + - configure_libreswan_crypto_policy + - file_sshd_50_redhat_exists + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - package_crypto-policies_installed + - package_openssh-server_installed + - service_sshd_enabled + - sshd_approved_ciphers=stig_rhel9 + - sshd_approved_macs=stig_rhel9 + - sshd_enable_pam + - sshd_include_crypto_policy + - sshd_rekey_limit + - sysctl_crypto_fips_enabled + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_system_crypto_policy=fips + status: automated +- id: RHEL-10-300040 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved + encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms + to protect the confidentiality of SSH server connections. + rules: + - file_sshd_50_redhat_exists + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel9 + - sshd_approved_macs=stig_rhel9 + - sshd_enable_pam + - sshd_include_crypto_policy + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-300050 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved + Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic + hash algorithms to protect the confidentiality of SSH client connections. + rules: + - file_sshd_50_redhat_exists + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel9 + - sshd_approved_macs=stig_rhel9 + - sshd_enable_pam + - sshd_include_crypto_policy + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-300060 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved + Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic + hash algorithms to protect the confidentiality of SSH server connections. + rules: + - file_sshd_50_redhat_exists + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel9 + - sshd_approved_macs=stig_rhel9 + - sshd_enable_pam + - sshd_include_crypto_policy + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-300070 + levels: + - high + title: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. + rules: + - configure_libreswan_crypto_policy + - sshd_rekey_limit + - sysctl_crypto_fips_enabled + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + status: automated +- id: RHEL-10-300080 + levels: + - high + title: RHEL 10 must implement DOD-approved encryption in the bind package. + rules: + - configure_bind_crypto_policy + - package_openssh-server_installed + - service_sshd_enabled + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-300090 + levels: + - high + title: RHEL 10 cryptographic policy must not be overridden. + rules: + - configure_crypto_policy + - enable_fips_mode + - fips_crypto_subpolicy + - package_crypto-policies_installed + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + - var_system_crypto_policy=fips + status: automated +- id: RHEL-10-400000 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is owned by root. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400005 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is group-owned by + "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400010 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400015 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400020 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400025 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400030 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400035 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400040 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400045 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400050 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400055 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400060 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400065 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400070 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400075 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned + by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400080 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is owned by "root". + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400085 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is group-owned + by "root". + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400090 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/"messages file is owned + by root. + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400095 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned + by "root". + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400100 + levels: + - medium + title: RHEL 10 must be configured so that system commands are owned by "root". + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400105 + levels: + - medium + title: RHEL 10 must be configured so that system commands are group-owned by root + or a system account. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400110 + levels: + - medium + title: RHEL 10 must be configured so that library files are owned by "root". + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400115 + levels: + - medium + title: RHEL 10 must be configured so that library files are group-owned by "root" + or a system account. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400120 + levels: + - medium + title: RHEL 10 must be configured so that library directories are owned by "root". + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400125 + levels: + - medium + title: RHEL 10 must be configured so that library directories are group-owned by + "root" or a system account. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400130 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration file directories are + owned by root. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-400135 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration files directories are + group-owned by root. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400140 + levels: + - medium + title: RHEL 10 must be configured so that world-writable directories are owned by + root, sys, bin, or an application user. + rules: + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + status: automated +- id: RHEL-10-400145 + levels: + - medium + title: RHEL 10 must be configured so that all system device files are correctly + labeled to prevent unauthorized modification. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400150 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration + file is group-owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400155 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration + file is owned by "root". + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400160 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories are + group-owned by the home directory owner's primary group. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - firewalld-backend + - grub2_admin_username + - grub2_password + - require_singleuser_auth + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-400165 + levels: + - medium + title: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted + logging group to prevent unauthorized read access. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400170 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the audit log directory to prevent + unauthorized read access. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400175 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized + access. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400180 + levels: + - medium + title: RHEL 10 must enforce group ownership by "root" or a restricted logging group + for audit log files to prevent unauthorized access. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400185 + levels: + - medium + title: RHEL 10 must set mode "0600" or less permissive for the audit logs file to + prevent unauthorized access to the audit log. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400190 + levels: + - medium + title: RHEL 10 must enforce the audit log directory to have a mode of "0750" or + less permissive to prevent unauthorized read access. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_ownership_var_log_audit_stig + - file_permissions_var_log_audit + status: automated +- id: RHEL-10-400195 + levels: + - medium + title: RHEL 10 must enforce root ownership of the "/etc/audit/" directory. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated +- id: RHEL-10-400200 + levels: + - medium + title: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated +- id: RHEL-10-400205 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for system commands. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400210 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive on library directories. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400215 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for library files. + rules: + - dir_group_ownership_library_dirs + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_groupownership_system_commands_dirs + - file_ownership_binary_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_permissions_library_dirs + - root_permissions_syslibrary_files + status: automated +- id: RHEL-10-400220 + levels: + - medium + title: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400225 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" + file. + rules: + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_owner_var_log + - file_owner_var_log_messages + - file_ownership_var_log_audit_stig + - file_permissions_var_log + - file_permissions_var_log_audit + - file_permissions_var_log_messages + status: automated +- id: RHEL-10-400230 + levels: + - medium + title: RHEL 10 must be configured to prohibit modification of permissions for cron + configuration files and directories from the operating system defaults. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-400235 + levels: + - medium + title: RHEL 10 must enforce mode "0740" or less permissive for local initialization + files. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400240 + levels: + - medium + title: RHEL 10 must enforce mode "0750" or less permissive for local interactive + user home directories. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400245 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" + file to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400250 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" + file to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400255 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" + file to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400260 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" + file to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400265 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" + file to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400270 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file + to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400275 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file + to prevent unauthorized access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400280 + levels: + - medium + title: RHEL 10 must be configured so that a sticky bit is set on all public directories. + rules: + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + status: automated +- id: RHEL-10-400285 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories have a + valid group owner. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400290 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories must have + a valid owner. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400295 + levels: + - medium + title: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized + access. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400300 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are owned by "root". + rules: + - file_audit_tools_group_ownership + - file_audit_tools_ownership + - file_audit_tools_permissions + status: automated +- id: RHEL-10-400305 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are group-owned by "root". + rules: + - file_audit_tools_group_ownership + - file_audit_tools_ownership + - file_audit_tools_permissions + status: automated +- id: RHEL-10-400310 + levels: + - medium + title: RHEL 10 must set the umask value to "077" for all local interactive user + accounts. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400315 + levels: + - medium + title: RHEL 10 must define default permissions for the bash shell. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400320 + levels: + - medium + title: RHEL 10 must define default permissions for the c shell. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400325 + levels: + - medium + title: RHEL 10 must define default permissions for all authenticated users in such + a way that the user can read and modify only their own files. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400330 + levels: + - medium + title: RHEL 10 must define default permissions for the system default profile. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400335 + levels: + - medium + title: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles + have mode "0600" or less permissive. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400340 + levels: + - medium + title: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) + private host key files. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400345 + levels: + - medium + title: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" + file. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400350 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400355 + levels: + - medium + title: RHEL 10 must prevent device files from being interpreted on file systems + that contain user home directories. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-400360 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being + executed on file systems that contain user home directories. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-400365 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that contain + user home directories. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-400400 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-400405 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "noexec" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-400410 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nosuid" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-400450 + levels: + - medium + title: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. + rules: + - file_audit_tools_group_ownership + - file_audit_tools_ownership + - file_audit_tools_permissions + status: automated +- id: RHEL-10-400500 + levels: + - medium + title: RHEL 10 must prohibit local initialization files from executing world-writable + programs. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-500000 + levels: + - medium + title: RHEL 10 must enable the systemd-journald service. + rules: + - service_systemd-journald_enabled + status: automated +- id: RHEL-10-500005 + levels: + - medium + title: RHEL 10 must enable auditing of processes that start prior to the audit daemon. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-500010 + levels: + - medium + title: RHEL 10 must audit local events. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_lastlog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500015 + levels: + - medium + title: RHEL 10 must write audit records to disk. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - file_group_ownership_var_log_audit + - file_ownership_var_log_audit_stig + - file_permissions_var_log_audit + status: automated +- id: RHEL-10-500020 + levels: + - medium + title: RHEL 10 must log username information when unsuccessful login attempts occur. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-500025 + levels: + - medium + title: RHEL 10 must allow only the information system security manager (ISSM) (or + individuals or roles appointed by the ISSM) to select which auditable events are + to be audited. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated +- id: RHEL-10-500030 + levels: + - medium + title: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture + processes that start prior to the audit daemon. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_audispd_configure_sufficiently_large_partition + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - package_audit_installed + - partition_for_var_log_audit + - service_auditd_enabled + - var_audit_backlog_limit=8192 + status: automated +- id: RHEL-10-500035 + levels: + - medium + title: RHEL 10 must take appropriate action when a critical audit processing failure + occurs. + rules: + - audit_rules_system_shutdown + - auditd_data_retention_action_mail_acct + - package_postfix_installed + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_audit_failure_mode=panic + - var_auditd_action_mail_acct=root + - var_postfix_root_mail_alias=mil_sysadmin + status: automated +- id: RHEL-10-500040 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches + 75 percent of the audit record storage capacity. + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=single + - var_auditd_admin_space_left_percentage=5pc + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated +- id: RHEL-10-500045 + levels: + - medium + title: RHEL 10 must label all off-loaded audit logs before sending them to the central + log server. + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - package_audit_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + - service_auditd_enabled + status: automated +- id: RHEL-10-500100 + levels: + - low + title: RHEL 10 must allocate audit record storage capacity to store at least one + week's worth of audit records. + rules: + - auditd_audispd_configure_sufficiently_large_partition + - auditd_name_format + - auditd_overflow_action + - grub2_audit_backlog_limit_argument + - package_audispd-plugins_installed + - partition_for_var_log_audit + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + - var_audit_backlog_limit=8192 + status: automated +- id: RHEL-10-500105 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches + 95 percent of the audit record storage capacity. + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=single + - var_auditd_admin_space_left_percentage=5pc + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated +- id: RHEL-10-500110 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches + 95 percent of the repository maximum audit record storage capacity. + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=single + - var_auditd_admin_space_left_percentage=5pc + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated +- id: RHEL-10-500115 + levels: + - medium + title: RHEL 10 must take appropriate action when the internal event queue is full. + rules: + - auditd_name_format + - auditd_overflow_action + - package_audispd-plugins_installed + - package_rsyslog_installed + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_loghost + status: automated +- id: RHEL-10-500120 + levels: + - medium + title: RHEL 10 must produce audit records containing information to establish the + identity of any individual or process associated with the event. + rules: + - auditd_log_format + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500125 + levels: + - medium + title: RHEL 10 must periodically flush audit records to disk to ensure that audit + records are not lost. + rules: + - auditd_freq + - package_audit_installed + - package_rsyslog_installed + - service_auditd_enabled + - var_auditd_freq=100 + status: automated +- id: RHEL-10-500205 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and information system + security officer (ISSO) (at a minimum) when allocated audit record storage volume + 75 percent utilization. + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=single + - var_auditd_admin_space_left_percentage=5pc + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated +- id: RHEL-10-500210 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and/or information system + security officer (ISSO) (at a minimum) of an audit processing failure. + rules: + - audit_rules_system_shutdown + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - package_postfix_installed + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_audit_failure_mode=panic + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=single + - var_auditd_admin_space_left_percentage=5pc + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + - var_postfix_root_mail_alias=mil_sysadmin + status: automated +- id: RHEL-10-500215 + levels: + - medium + title: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the + server. + rules: + - rsyslog_remote_access_monitoring + - sshd_set_loglevel_verbose + status: automated +- id: RHEL-10-500300 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "execve" system call. + rules: + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_suid_privilege_function + status: automated +- id: RHEL-10-500310 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and + "lremovexattr" system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500320 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of "umount" system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500330 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chacl" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500340 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setfacl" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500350 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chcon" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500360 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "semanage" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500370 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setfiles" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500380 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setsebool" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500390 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" + system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500400 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "delete_module" system call. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500410 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "init_module" and "finit_module" system calls. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500420 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chage" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500430 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chsh" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500440 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "crontab" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500450 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "gpasswd" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500460 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "kmod" command. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500470 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "newgrp" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500480 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "pam_timestamp_check" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500490 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "passwd" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500500 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "postdrop" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500510 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "postqueue" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500520 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the ssh-agent command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500530 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "ssh-keysign" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500540 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "su" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_suid_privilege_function + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500550 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "sudo" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_suid_privilege_function + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500560 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "sudoedit" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_suid_privilege_function + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500570 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "unix_chkpwd" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500580 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "unix_update" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500590 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "userhelper" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500600 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "usermod" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500610 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "mount" command. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500620 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "init" command. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + status: automated +- id: RHEL-10-500630 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "poweroff" command. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + status: automated +- id: RHEL-10-500640 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "reboot" command. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + status: automated +- id: RHEL-10-500650 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the shutdown command. + rules: + - audit_privileged_commands_init + - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot + - audit_privileged_commands_shutdown + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + status: automated +- id: RHEL-10-500660 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "umount" system call. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500670 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "umount2" system call. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500680 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/sudoers". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500690 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect the "/etc/sudoers.d/" directory. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500700 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/group". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500710 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/gshadow". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500720 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/opasswd". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500730 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/passwd". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500740 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/shadow". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500750 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/var/log/faillock". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500760 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/var/log/lastlog". + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500780 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", + "fchmodat", and "fchmodat2" syscalls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500790 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", + "fchownat", and "lchown" syscalls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-500810 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", + "rmdir", "renameat", "renameat2", and "unlinkat" system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + - audit_rules_execution_chacl + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setfacl + - audit_rules_execution_setfiles + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_media_export + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_kmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_pkexec + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_agent + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_unix_update + - audit_rules_privileged_commands_userhelper + - audit_rules_privileged_commands_usermod + - audit_rules_sudoers + - audit_rules_sudoers_d + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_local_events + - configure_usbguard_auditbackend + - grub2_audit_argument + - package_audit_installed + - service_auditd_enabled + status: automated +- id: RHEL-10-600000 + levels: + - medium + title: RHEL 10 must require a boot loader superuser password. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-600010 + levels: + - medium + title: RHEL 10 must require a unique superusers name upon booting into single-user + and maintenance modes. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-600020 + levels: + - medium + title: RHEL 10 must not assign an interactive login shell for system accounts. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-600100 + levels: + - medium + title: RHEL 10 must, for new users or password changes, have a 60-day maximum password + lifetime restriction for user account passwords in "/etc/login.defs". + rules: + - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated +- id: RHEL-10-600110 + levels: + - medium + title: RHEL 10 must, for user account passwords, have a 60-day maximum password + lifetime restriction. + rules: + - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated +- id: RHEL-10-600120 + levels: + - medium + title: RHEL 10 must assign a home directory for local interactive user accounts + upon creation. + rules: + - bios_enable_execution_restrictions + - grub2_init_on_free + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + status: automated +- id: RHEL-10-600130 + levels: + - medium + title: RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive + users. + rules: + - account_unique_id + - gid_passwd_group_same + - group_unique_id + status: automated +- id: RHEL-10-600140 + levels: + - medium + title: RHEL 10 must automatically expire temporary accounts within 72 hours. + rules: + - account_temp_expire_date + status: automated +- id: RHEL-10-600150 + levels: + - medium + title: RHEL 10 must assign a primary group to all interactive users. + rules: + - account_unique_id + - gid_passwd_group_same + - group_unique_id + status: automated +- id: RHEL-10-600160 + levels: + - medium + title: RHEL 10 must disable account identifiers (individuals, groups, roles, and + devices) after 35 days of inactivity. + rules: + - account_disable_post_pw_expiration + status: automated +- id: RHEL-10-600170 + levels: + - medium + title: RHEL 10 must be configured so that all local interactive user initialization + file executable search path statements do not contain statements that will reference + a working directory other than user home directories. + rules: [] + status: pending +- id: RHEL-10-600180 + levels: + - medium + title: RHEL 10 must assign a home directory to all local interactive users in the + "/etc/passwd" file. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-600190 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories defined + in the "/etc/passwd" file must exist. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-600200 + levels: + - medium + title: RHEL 10 must enforce a delay of at least four seconds between login prompts + following a failed login attempt. + rules: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600210 + levels: + - medium + title: RHEL 10 must enforce a 24-hours minimum password lifetime restriction for + passwords for new users or password changes in "/etc/login.defs". + rules: + - accounts_minimum_age_login_defs + - accounts_password_set_min_life_existing + - var_accounts_minimum_age_login_defs=1 + status: automated +- id: RHEL-10-600220 + levels: + - medium + title: RHEL 10 must enforce that passwords be created with a minimum of 15 characters. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated +- id: RHEL-10-600230 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring at least one special + character to be used. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated +- id: RHEL-10-600240 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one lowercase + character be used. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated +- id: RHEL-10-600250 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one uppercase + character be used. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600260 + levels: + - medium + title: RHEL 10 must require the change of at least eight characters when passwords + are changed. + rules: + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - var_password_pam_difok=8 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + status: automated +- id: RHEL-10-600270 + levels: + - medium + title: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime + restriction in "/etc/shadow". + rules: + - accounts_minimum_age_login_defs + - accounts_password_set_min_life_existing + - var_accounts_minimum_age_login_defs=1 + status: automated +- id: RHEL-10-600280 + levels: + - medium + title: RHEL 10 must require the maximum number of repeating characters of the same + character class to be limited to four when passwords are changed. + rules: + - accounts_password_pam_dictcheck + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - var_password_pam_dictcheck=1 + - var_password_pam_difok=8 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + - var_password_pam_remember=5 + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600290 + levels: + - medium + title: RHEL 10 must require that the maximum number of repeating characters be limited + to three when passwords are changed. + rules: + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - var_password_pam_difok=8 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + status: automated +- id: RHEL-10-600300 + levels: + - medium + title: RHEL 10 must require the change of at least four character classes when passwords + are changed. + rules: + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - var_password_pam_difok=8 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + status: automated +- id: RHEL-10-600310 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one numeric + character be used. + rules: + - accounts_password_pam_dcredit + - accounts_password_pam_enforce_root + - var_password_pam_dcredit=1 + status: automated +- id: RHEL-10-600320 + levels: + - medium + title: RHEL 10 must prevent the use of dictionary words for passwords. + rules: + - accounts_password_pam_dictcheck + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - var_password_pam_difok=8 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + status: automated +- id: RHEL-10-600400 + levels: + - medium + title: RHEL 10 must allow only the root account to have unrestricted access to the + system. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-600405 + levels: + - medium + title: RHEL 10 must enforce password complexity rules for the "root" account. + rules: + - accounts_password_pam_dcredit + - accounts_password_pam_dictcheck + - accounts_password_pam_difok + - accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_ocredit + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_dcredit=1 + - var_password_pam_difok=8 + - var_password_pam_lcredit=1 + - var_password_pam_maxclassrepeat=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_minclass=4 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600410 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login + attempts occur. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600415 + levels: + - medium + title: RHEL 10 must automatically lock the root account until the root account is + released by an administrator when three unsuccessful login attempts occur during + a 15-minute time period. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600420 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login + attempts occur during a 15-minute time period. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600425 + levels: + - medium + title: RHEL 10 must maintain an account lock until the locked account is released + by an administrator. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600430 + levels: + - medium + title: RHEL 10 must ensure account lockouts persist. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600450 + levels: + - medium + title: RHEL 10 must not have unauthorized accounts. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-600455 + levels: + - medium + title: RHEL 10 must not allow blank or null passwords. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600460 + levels: + - medium + title: RHEL 10 must not have accounts configured with blank or null passwords. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600470 + levels: + - medium + title: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". + rules: + - account_unique_id + - gid_passwd_group_same + - group_unique_id + status: automated +- id: RHEL-10-600475 + levels: + - low + title: RHEL 10 must limit the number of concurrent sessions to 10 for all accounts + and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated +- id: RHEL-10-600485 + levels: + - medium + title: RHEL 10 must ensure the password complexity module in the system-auth file + is configured for three or fewer retries. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600500 + levels: + - medium + title: RHEL 10 must restrict the use of the "su" command. + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - use_pam_wheel_for_su + status: automated +- id: RHEL-10-600510 + levels: + - medium + title: RHEL 10 must be configured to not bypass password requirements for privilege + escalation. + rules: + - disallow_bypass_password_sudo + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + status: automated +- id: RHEL-10-600520 + levels: + - medium + title: RHEL 10 must restrict privilege elevation to authorized personnel. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-600530 + levels: + - medium + title: RHEL 10 must require users to reauthenticate for privilege escalation. + rules: + - disallow_bypass_password_sudo + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + status: automated +- id: RHEL-10-600540 + levels: + - medium + title: RHEL 10 must require reauthentication when using the "sudo" command. + rules: + - disallow_bypass_password_sudo + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + status: automated +- id: RHEL-10-600550 + levels: + - medium + title: RHEL 10 must use the invoking user's password for privilege escalation when + using "sudo". + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + status: automated +- id: RHEL-10-600560 + levels: + - high + title: RHEL 10 must require users to provide a password for privilege escalation. + rules: + - disallow_bypass_password_sudo + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + status: automated +- id: RHEL-10-600600 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" + file. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600610 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" + file. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-600620 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" + file. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600630 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" + file. + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_retry + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_ucredit + - var_password_pam_retry=3 + - var_password_pam_ucredit=1 + status: automated +- id: RHEL-10-600640 + levels: + - high + title: RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for + SSHD. + rules: + - sshd_enable_pam + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-600650 + levels: + - medium + title: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth + file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600700 + levels: + - medium + title: RHEL 10 must be configured to use a sufficient number of hashing rounds for + the shadow password suite. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600710 + levels: + - medium + title: RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing + algorithm for system authentication by ensuring that the pam_unix.so module is + configured in the "system-auth" file. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600720 + levels: + - medium + title: RHEL 10 must be configured so that password-auth uses a sufficient number + of hashing rounds. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600730 + levels: + - high + title: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms + for all stored passwords. + rules: + - libreswan_approved_tunnels + - package_rsyslog-gnutls_installed + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600740 + levels: + - high + title: RHEL 10 must be configured to use the shadow file to store only encrypted + representations of passwords. + rules: + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-600750 + levels: + - high + title: RHEL 10 must be configured so that user and group account administration + utilities are configured to store only encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_unix_rounds=100000 + status: automated +- id: RHEL-10-700010 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner + before granting local or remote access to the system via a Secure Shell (SSH) + login. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700020 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner + before granting local or remote access to the system via a graphical user login. + rules: + - banner_etc_issue + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - sshd_enable_warning_banner + status: automated +- id: RHEL-10-700030 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the banner-message-enable setting + for the graphical user interface. + rules: + - banner_etc_issue + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - sshd_enable_warning_banner + status: automated +- id: RHEL-10-700040 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner + before granting local or remote access to the system via a command line user login. + rules: + - banner_etc_issue + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - sshd_enable_warning_banner + status: automated +- id: RHEL-10-700100 + levels: + - medium + title: RHEL 10 must prevent special devices on file systems that are imported via + Network File System (NFS). + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700105 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that are imported + via Network File System (NFS). + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700110 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being + executed on file systems that are imported via Network File System (NFS). + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700115 + levels: + - medium + title: RHEL 10 must be configured so that the Network File System (NFS) is configured + to use RPCSEC_GSS. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700120 + levels: + - medium + title: RHEL 10 must mount "/boot" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700125 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being + executed on the "/boot" directory. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700130 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being + executed on the "/boot/efi" directory. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700135 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700140 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "noexec" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700145 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nosuid" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700150 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700155 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "noexec" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700160 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nosuid" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700165 + levels: + - medium + title: RHEL 10 must mount "/var" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700170 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700175 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "noexec" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700180 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nosuid" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700185 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nodev" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700190 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "noexec" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700195 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nosuid" option. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700200 + levels: + - medium + title: RHEL 10 must prevent special devices on nonroot local partitions. + rules: + - fapolicy_default_deny + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_noexec + - mount_option_var_log_audit_nosuid + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + - mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - package_fapolicyd_installed + - service_fapolicyd_enabled + status: automated +- id: RHEL-10-700400 + levels: + - medium + title: RHEL 10 must enable the SELinux targeted policy. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700410 + levels: + - medium + title: RHEL 10 must elevate the SELinux context when an administrator calls the + sudo command. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-700420 + levels: + - medium + title: RHEL 10 must use a Linux Security Module configured to enforce limits on + system services. + rules: + - grub2_init_on_free + - grub2_page_poison_argument + - grub2_vsyscall_argument + - package_aide_installed + - package_policycoreutils_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700430 + levels: + - medium + title: RHEL 10 must configure SELinux context type to allow the use of a nondefault + faillock tally directory. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + - account_password_selinux_faillock_dir + - accounts_passwords_pam_faillock_audit + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - audit_rules_login_events_faillock + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated +- id: RHEL-10-700500 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) public host key files + have mode "0644" or less permissive. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700510 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not + allow Generic Security Service Application Program Interface (GSSAPI) authentication. + rules: [] + status: pending +- id: RHEL-10-700520 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not + allow Kerberos authentication. + rules: [] + status: pending +- id: RHEL-10-700530 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not + allow rhosts authentication. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700540 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not + allow known hosts authentication. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700550 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables + remote X connections for interactive users. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700560 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs + strict mode checking of home directory configuration files. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700570 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays + the date and time of the last successful account login upon an SSH login. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700580 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents + remote hosts from connecting to the proxy display. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700590 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) server configuration + files' permissions are not modified. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700600 + levels: + - medium + title: RHEL 10 must be configured so that SSHD accepts public key authentication. + rules: + - configure_opensc_card_drivers + - install_smartcard_packages + - sshd_disable_empty_passwords + - sshd_enable_pubkey_auth + - sssd_enable_smartcards + - var_smartcard_drivers=cac + status: automated +- id: RHEL-10-700610 + levels: + - medium + title: RHEL 10 must be configured so that SSHD does not allow blank passwords. + rules: + - configure_opensc_card_drivers + - disable_host_auth + - gnome_gdm_disable_automatic_login + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + - sshd_enable_pubkey_auth + - var_smartcard_drivers=cac + status: automated +- id: RHEL-10-700620 + levels: + - medium + title: RHEL 10 must not permit direct logins to the root account using remote access + via Secure Shell (SSH). + rules: + - configure_opensc_card_drivers + - sshd_disable_root_login + status: automated +- id: RHEL-10-700630 + levels: + - medium + title: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login + to the system. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700640 + levels: + - high + title: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-700650 + levels: + - high + title: RHEL 10 must force a frequent session key renegotiation for Secure Shell + (SSH) connections to the server. + rules: + - configure_bind_crypto_policy + - configure_libreswan_crypto_policy + - package_openssh-server_installed + - service_sshd_enabled + - ssh_client_rekey_limit + - sshd_rekey_limit + - sysctl_crypto_fips_enabled + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - wireless_disable_interfaces + status: automated +- id: RHEL-10-700660 + levels: + - medium + title: RHEL 10 must be configured so that all network connections associated with + Secure Shell (SSH) traffic terminate after becoming unresponsive. + rules: + - accounts_tmout + - logind_session_timeout + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_accounts_tmout=15_min + - var_sshd_set_keepalive=1 + status: automated +- id: RHEL-10-700670 + levels: + - medium + title: RHEL 10 must forward mail from postmaster to the root account using a postfix + alias. + rules: + - audit_rules_system_shutdown + - auditd_data_retention_action_mail_acct + - package_postfix_installed + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_audit_failure_mode=panic + - var_auditd_action_mail_acct=root + - var_postfix_root_mail_alias=mil_sysadmin + status: automated +- id: RHEL-10-700680 + levels: + - medium + title: RHEL 10 must not have a "shosts.equiv" file on the system. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700690 + levels: + - medium + title: RHEL 10 must not have any ".shosts" files on the system. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700700 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical + user interface automount function. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-700710 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical + user interface autorun function. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-700720 + levels: + - high + title: RHEL 10 must not allow unattended or automatic login via the graphical user + interface. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700730 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical + user smart card removal action. + rules: + - dconf_gnome_lock_screen_on_smartcard_removal + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_locked + status: automated +- id: RHEL-10-700740 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the screensaver lock-enabled + setting for the graphical user interface. + rules: + - dconf_gnome_lock_screen_on_smartcard_removal + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_locked + status: automated +- id: RHEL-10-700750 + levels: + - medium + title: RHEL 10 must automatically lock graphical user sessions after 15 minutes + of inactivity. + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + status: automated +- id: RHEL-10-700760 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session idle-delay setting + for the graphical user interface. + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + status: automated +- id: RHEL-10-700770 + levels: + - medium + title: RHEL 10 must initiate a session lock for graphical user interfaces when the + screensaver is activated. + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + status: automated +- id: RHEL-10-700780 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session lock-delay setting + for the graphical user interface. + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + status: automated +- id: RHEL-10-700790 + levels: + - medium + title: RHEL 10 must conceal, via the session lock, information previously visible + on the display with a publicly viewable image. + rules: + - dconf_gnome_screensaver_mode_blank + status: automated +- id: RHEL-10-700800 + levels: + - medium + title: RHEL 10 must ensure effective dconf policy matches the policy keyfiles. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-700810 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting + for the graphical user interface. + rules: + - package_aide_installed + - selinux_context_elevation_for_sudo + - selinux_policytype + - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + status: automated +- id: RHEL-10-700820 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings + for the graphical user interface. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-700830 + levels: + - medium + title: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del + and cause a system to shut down or reboot. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-700840 + levels: + - medium + title: RHEL 10 must disable the user list at login for graphical user interfaces. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-700850 + levels: + - medium + title: RHEL 10 must be configured to disable USB mass storage. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-700860 + levels: + - medium + title: RHEL 10 must disable Bluetooth. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - wireless_disable_interfaces + status: automated +- id: RHEL-10-700870 + levels: + - medium + title: RHEL 10 must disable wireless network adapters. + rules: + - kernel_module_bluetooth_disabled + - package_openssh-server_installed + - service_sshd_enabled + - ssh_client_rekey_limit + - wireless_disable_interfaces + status: automated +- id: RHEL-10-700880 + levels: + - medium + title: RHEL 10 must disable the graphical user interface automounter unless required. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-700890 + levels: + - low + title: RHEL 10 must disable the graphical user interface autorunner unless required. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-700900 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized + code execution. + rules: + - bios_enable_execution_restrictions + - grub2_init_on_free + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + status: automated +- id: RHEL-10-700920 + levels: + - medium + title: RHEL 10 must automatically exit interactive command shell user sessions after + 15 minutes of inactivity. + rules: + - accounts_tmout + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + - inactivity_timeout_value=15_minutes + - logind_session_timeout + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_accounts_tmout=15_min + - var_screensaver_lock_delay=5_seconds + - var_sshd_set_keepalive=1 + status: automated +- id: RHEL-10-700930 + levels: + - medium + title: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) + daemon. + rules: + - accounts_tmout + - logind_session_timeout + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_accounts_tmout=15_min + - var_sshd_set_keepalive=1 + status: automated +- id: RHEL-10-700940 + levels: + - medium + title: RHEL 10 must not default to the graphical display manager unless approved. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-700950 + levels: + - high + title: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-700960 + levels: + - high + title: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-700980 + levels: + - medium + title: RHEL 10 must disable the ability of systemd to spawn an interactive boot + process. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-700990 + levels: + - medium + title: RHEL 10 must disable virtual system calls. + rules: + - grub2_init_on_free + - grub2_page_poison_argument + - grub2_vsyscall_argument + - package_policycoreutils_installed + - selinux_state + status: automated +- id: RHEL-10-701000 + levels: + - medium + title: RHEL 10 must clear the page allocator to prevent use-after-free attacks. + rules: + - grub2_init_on_free + - grub2_page_poison_argument + - grub2_vsyscall_argument + - package_policycoreutils_installed + - selinux_state + status: automated +- id: RHEL-10-701010 + levels: + - medium + title: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. + rules: + - grub2_init_on_free + - grub2_page_poison_argument + - grub2_vsyscall_argument + - package_policycoreutils_installed + - selinux_state + status: automated +- id: RHEL-10-701020 + levels: + - medium + title: RHEL 10 must enable mitigations against processor-based vulnerabilities. + rules: + - grub2_pti_argument + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - sysctl_kernel_randomize_va_space + status: automated +- id: RHEL-10-701030 + levels: + - medium + title: RHEL 10 must restrict access to the kernel message buffer. + rules: + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + status: automated +- id: RHEL-10-701040 + levels: + - medium + title: RHEL 10 must prevent kernel profiling by nonprivileged users. + rules: + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + status: automated +- id: RHEL-10-701050 + levels: + - high + title: RHEL 10 must prevent the loading of a new kernel for later execution. + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + - package_subscription-manager_installed + - sysctl_kernel_kexec_load_disabled + status: automated +- id: RHEL-10-701060 + levels: + - medium + title: RHEL 10 must restrict exposed kernel pointer address access. + rules: + - bios_enable_execution_restrictions + - grub2_init_on_free + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + status: automated +- id: RHEL-10-701070 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control + (DAC) on hardlinks. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - use_pam_wheel_for_su + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-701080 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control + (DAC) on symlinks. + rules: + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disallow_bypass_password_sudo + - package_sudo_installed + - service_debug-shell_disabled + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - use_pam_wheel_for_su + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: RHEL-10-701090 + levels: + - medium + title: RHEL 10 must disable the "kernel.core_pattern". + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701100 + levels: + - medium + title: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel + module. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701110 + levels: + - medium + title: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel + module. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701120 + levels: + - medium + title: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel + module. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701130 + levels: + - medium + title: RHEL 10 must implement address space layout randomization (ASLR) to protect + its memory from unauthorized code execution. + rules: + - grub2_pti_argument + - sysctl_kernel_randomize_va_space + status: automated +- id: RHEL-10-701140 + levels: + - medium + title: RHEL 10 must restrict usage of ptrace to descendant processes. + rules: [] + status: pending +- id: RHEL-10-701150 + levels: + - medium + title: RHEL 10 must disable core dump backtraces. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701160 + levels: + - medium + title: RHEL 10 must disable storing core dumps. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701170 + levels: + - medium + title: RHEL 10 must disable core dumps for all users. + rules: + - kernel_module_bluetooth_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + status: automated +- id: RHEL-10-701180 + levels: + - medium + title: RHEL 10 must disable acquiring, saving, and processing core dumps. + rules: [] + status: pending +- id: RHEL-10-701190 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized + code execution. + rules: + - bios_enable_execution_restrictions + - grub2_init_on_free + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + status: automated +- id: RHEL-10-701200 + levels: + - medium + title: RHEL 10 must disable the kdump service. + rules: + - service_systemd-journald_enabled + status: automated +- id: RHEL-10-701210 + levels: + - medium + title: RHEL 10 must disable file system automount function unless required. + rules: + - dconf_gnome_disable_automount_open + - dconf_gnome_disable_autorun + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_autofs_disabled + - service_usbguard_enabled + - usbguard_generate_policy + status: automated +- id: RHEL-10-701220 + levels: + - medium + title: RHEL 10 must enable certificate-based smart card authentication. + rules: + - configure_opensc_card_drivers + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - service_pcscd_enabled + - sshd_disable_empty_passwords + - sshd_enable_pubkey_auth + - sssd_certificate_verification + - sssd_enable_smartcards + - var_smartcard_drivers=cac + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-701230 + levels: + - medium + title: RHEL 10 must implement certificate status checking for multifactor authentication. + rules: + - install_smartcard_packages + - package_opensc_installed + - package_pcsc-lite-ccid_installed + - package_pcsc-lite_installed + - package_sssd_installed + - service_pcscd_enabled + - service_sssd_enabled + - sssd_certificate_verification + - sssd_enable_smartcards + - var_sssd_certificate_verification_digest_function=sha512 + status: automated +- id: RHEL-10-701240 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, enforce authorized access to + the corresponding private key. + rules: + - ssh_keys_passphrase_protected + status: automated +- id: RHEL-10-701250 + levels: + - medium + title: RHEL 10 must require authentication to access emergency mode. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-701260 + levels: + - medium + title: RHEL 10 must require authentication to access single-user mode. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-701270 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, validate certificates by constructing + a certification path (which includes status information) to an accepted trust + anchor. + rules: + - encrypt_partitions + - sssd_has_trust_anchor + status: automated +- id: RHEL-10-701280 + levels: + - medium + title: RHEL 10 must map the authenticated identity to the user or group account + for public key infrastructure (PKI)-based authentication. + rules: + - sssd_enable_certmap + status: automated +- id: RHEL-10-701290 + levels: + - medium + title: RHEL 10 must prohibit the use of cached authenticators after one day. + rules: + - sssd_offline_cred_expiration + status: automated +- id: RHEL-10-800000 + levels: + - medium + title: RHEL 10 must control remote access methods. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-800010 + levels: + - medium + title: RHEL 10 must be configured to prohibit or restrict the use of functions, + ports, protocols, and/or services, as defined in the Ports, Protocols, and Services + Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. + rules: + - chronyd_client_only + - chronyd_no_chronyc_network + - configure_firewalld_ports + - firewalld_sshd_port_enabled + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: RHEL-10-800020 + levels: + - medium + title: RHEL 10 must enforce that network interfaces not be in promiscuous mode. + rules: + - configure_bind_crypto_policy + - package_openssh-server_installed + - service_sshd_enabled + - sysctl_crypto_fips_enabled + status: automated +- id: RHEL-10-800030 + levels: + - medium + title: RHEL 10 must disable access to the network bpf system call from nonprivileged + processes. + rules: [] + status: pending +- id: RHEL-10-800040 + levels: + - medium + title: RHEL 10 must securely compare internal information system clocks at least + every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - package_audit_installed + - package_chrony_installed + - service_chronyd_enabled + - var_multiple_time_servers=stig + - var_time_service_set_maxpoll=18_hours + status: automated +- id: RHEL-10-800050 + levels: + - medium + title: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time + compiler. + rules: + - bios_enable_execution_restrictions + - grub2_init_on_free + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + status: automated +- id: RHEL-10-800060 + levels: + - medium + title: RHEL 10 must have at least two name servers configured for systems using + Domain Name Server (DNS) resolution. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800070 + levels: + - medium + title: RHEL 10 must not have unauthorized IP tunnels configured. + rules: + - account_temp_expire_date + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + - grub2_admin_username + - grub2_password + - require_singleuser_auth + status: automated +- id: RHEL-10-800080 + levels: + - medium + title: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800090 + levels: + - medium + title: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message + Protocol (ICMP) redirect messages. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800100 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed + packets. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800110 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible + addresses. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800120 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible + addresses by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800130 + levels: + - medium + title: RHEL 10 must use reverse path filtering on all Internet Protocol version + 4 (IPv4) interfaces. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800140 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control + Message Protocol (ICMP) redirect messages from being accepted. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800150 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed + packets by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800160 + levels: + - medium + title: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) + network traffic when possible by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800170 + levels: + - medium + title: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes + sent to a broadcast address. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800180 + levels: + - medium + title: RHEL 10 must limit the number of bogus Internet Control Message Protocol + (ICMP) response errors logs. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800190 + levels: + - medium + title: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800200 + levels: + - medium + title: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol + (ICMP) redirects by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800210 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding + unless the system is a router. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800220 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version + 6 (IPv6) interfaces. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800230 + levels: + - medium + title: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect + messages. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800240 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed + packets. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800250 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding + unless the system is a router. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800260 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version + 6 (IPv6) interfaces by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800270 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control + Message Protocol (ICMP) redirect messages from being accepted. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800280 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed + packets by default. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800290 + levels: + - medium + title: RHEL 10 must protect against or limit the effects of denial-of-service (DoS) + attacks by ensuring that rate-limiting measures on impacted network interfaces + are implemented. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800300 + levels: + - medium + title: RHEL 10 must configure a DNS processing mode in Network Manager to avoid + conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries + to untrusted networks. + rules: + - firewalld-backend + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: RHEL-10-800310 + levels: + - medium + title: RHEL 10 must be configured to operate in secure mode if the Trivial File + Transfer Protocol (TFTP) server service is required. + rules: + - package_telnet-server_removed + - package_tftp_removed + - package_vsftpd_removed + status: automated +- id: RHEL-10-900000 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" + file to prevent unauthorized access. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated +- id: RHEL-10-900100 + levels: + - medium + title: RHEL 10 must prevent unauthorized changes to the audit system. + rules: + - audit_rules_immutable + - directory_group_ownership_var_log_audit + - directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit + - file_ownership_var_log_audit_stig + - file_permissions_var_log_audit + status: automated +- id: RHEL-10-001000 + levels: + - high + title: RHEL 10 must be a vendor-supported release. + rules: [] + status: pending diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile index 3c1b0ee2b7cf..525208993d65 100644 --- a/products/rhel10/profiles/stig.profile +++ b/products/rhel10/profiles/stig.profile @@ -19,7 +19,7 @@ description: |- Red Hat technologies that are based on Red Hat Enterprise Linux 10. selections: - - srg_gpos:all + - stig_rhel10:all - '!enable_authselect' # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended. - '!enable_dracut_fips_module' From b96e05477d1ae3025e384e9686a73520d199c13d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 23 Jun 2026 14:25:16 +0200 Subject: [PATCH 3/7] Perform initial control mapping Reviewed STIG requirements and performed initial mapping of rules for each requirement in the control file. --- .../services/ssh/sshd_approved_ciphers.var | 1 + .../guide/services/ssh/sshd_approved_macs.var | 1 + products/rhel10/controls/stig_rhel10.yml | 7381 ++--------------- 3 files changed, 554 insertions(+), 6829 deletions(-) diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 6accd5ec24c1..82bfa94f8712 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -14,6 +14,7 @@ options: stig: aes256-ctr,aes192-ctr,aes128-ctr stig_extended: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr stig_rhel9: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + stig_rhel10: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index 957ab19dbff8..327b3f2d09a7 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -14,6 +14,7 @@ options: stig: hmac-sha2-512,hmac-sha2-256 stig_extended: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 stig_rhel9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 + stig_rhel10: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/products/rhel10/controls/stig_rhel10.yml b/products/rhel10/controls/stig_rhel10.yml index 8169b4428b76..411742bec6dd 100644 --- a/products/rhel10/controls/stig_rhel10.yml +++ b/products/rhel10/controls/stig_rhel10.yml @@ -15,30 +15,15 @@ controls: - medium title: RHEL 10 must disable the debug-shell systemd service. rules: - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-001020 levels: - medium title: RHEL 10 must ensure cryptographic verification of vendor software packages. rules: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - ensure_redhat_gpgkey_installed - package_sequoia-sq_installed - - package_subscription-manager_installed - - sysctl_kernel_kexec_load_disabled status: automated - id: RHEL-10-001030 levels: @@ -47,12 +32,6 @@ controls: originating from external software repositories before installation. rules: - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - - package_subscription-manager_installed - - sysctl_kernel_kexec_load_disabled status: automated - id: RHEL-10-001040 levels: @@ -60,13 +39,7 @@ controls: title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation. rules: - - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - - package_subscription-manager_installed - - sysctl_kernel_kexec_load_disabled status: automated - id: RHEL-10-001050 levels: @@ -74,13 +47,7 @@ controls: title: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories. rules: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - - package_subscription-manager_installed - - sysctl_kernel_kexec_load_disabled + - enable_gpgcheck_for_all_repositories status: automated - id: RHEL-10-000510 levels: @@ -96,10 +63,7 @@ controls: - low title: RHEL 10 must use a separate file system for the system audit data path. rules: - - auditd_audispd_configure_sufficiently_large_partition - - grub2_audit_backlog_limit_argument - partition_for_var_log_audit - - var_audit_backlog_limit=8192 status: automated - id: RHEL-10-000530 levels: @@ -107,50 +71,35 @@ controls: title: RHEL 10 must use a separate file system for user home directories (such as "/home" or an equivalent). rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - partition_for_home status: automated - id: RHEL-10-000540 levels: - medium title: RHEL 10 must use a separate file system for "/tmp". rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - partition_for_tmp status: automated - id: RHEL-10-000550 levels: - medium title: RHEL 10 must use a separate file system for "/var". rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - partition_for_var status: automated - id: RHEL-10-000560 levels: - medium title: RHEL 10 must use a separate file system for "/var/log". rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - partition_for_var_log status: automated - id: RHEL-10-000570 levels: - medium title: RHEL 10 must use a separate file system for "/var/tmp". rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - partition_for_var_tmp status: automated - id: RHEL-10-200000 levels: @@ -165,40 +114,28 @@ controls: - medium title: RHEL 10 must not have the "nfs-utils" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_nfs-utils_removed status: automated - id: RHEL-10-200020 levels: - high title: RHEL 10 must not have the "telnet-server" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_telnet-server_removed status: automated - id: RHEL-10-200030 levels: - medium title: RHEL 10 must not have the "gssproxy" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_gssproxy_removed status: automated - id: RHEL-10-200040 levels: - medium title: RHEL 10 must not have the tuned package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_tuned_removed status: automated - id: RHEL-10-200050 levels: @@ -207,51 +144,34 @@ controls: installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_tftp-server_removed status: automated - id: RHEL-10-200060 levels: - medium title: RHEL 10 must not have the unbound package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_unbound_removed status: automated - id: RHEL-10-200070 levels: - high title: RHEL 10 must not have the "tftp" package installed. rules: - - package_telnet-server_removed - package_tftp_removed - - package_vsftpd_removed status: automated - id: RHEL-10-200080 levels: - medium title: RHEL 10 must not have the "gdm" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_gdm_removed status: automated - id: RHEL-10-200090 levels: - high title: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled - - package_telnet-server_removed - - package_tftp_removed - package_vsftpd_removed status: automated - id: RHEL-10-200500 @@ -259,33 +179,20 @@ controls: - medium title: RHEL 10 must have the "subscription-manager" package installed. rules: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - package_subscription-manager_installed - - sysctl_kernel_kexec_load_disabled status: automated - id: RHEL-10-200510 levels: - medium title: RHEL 10 must have the "nss-tools" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_nss-tools_installed status: automated - id: RHEL-10-200520 levels: - medium title: RHEL 10 must have the "s-nail" package installed. rules: - - aide_build_database - - aide_periodic_cron_checking - - aide_use_fips_hashes - - package_aide_installed - package_s-nail_installed status: automated - id: RHEL-10-200530 @@ -293,23 +200,13 @@ controls: - medium title: RHEL 10 must have the "firewalld" package installed. rules: - - chronyd_client_only - - chronyd_no_chronyc_network - - configure_firewalld_ports - - firewalld_sshd_port_enabled - package_firewalld_installed - - service_firewalld_enabled status: automated - id: RHEL-10-200531 levels: - medium title: RHEL 10 must have the "firewalld" service set to active. rules: - - chronyd_client_only - - chronyd_no_chronyc_network - - configure_firewalld_ports - - firewalld_sshd_port_enabled - - package_firewalld_installed - service_firewalld_enabled status: automated - id: RHEL-10-200532 @@ -318,33 +215,23 @@ controls: title: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems. rules: - - configure_firewalld_ports - - package_firewalld_installed - - service_firewalld_enabled + - configured_firewalld_default_deny + related_rules: + - set_firewalld_default_zone status: automated - id: RHEL-10-200540 levels: - medium title: RHEL 10 must have the "chrony" package installed. rules: - - chronyd_or_ntpd_set_maxpoll - - chronyd_server_directive - - chronyd_specify_remote_server - package_chrony_installed - - service_chronyd_enabled - - var_multiple_time_servers=stig status: automated - id: RHEL-10-200541 levels: - medium title: RHEL 10 must enable the chronyd service. rules: - - chronyd_or_ntpd_set_maxpoll - - chronyd_server_directive - - chronyd_specify_remote_server - - package_chrony_installed - service_chronyd_enabled - - var_multiple_time_servers=stig status: automated - id: RHEL-10-200542 levels: @@ -352,69 +239,33 @@ controls: title: RHEL 10 must disable the chrony daemon from acting as a server. rules: - chronyd_client_only - - chronyd_no_chronyc_network - - configure_firewalld_ports - - firewalld_sshd_port_enabled - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled - - package_firewalld_installed - - service_firewalld_enabled status: automated - id: RHEL-10-200543 levels: - medium title: RHEL 10 must disable network management of the chrony daemon. rules: - - chronyd_client_only - chronyd_no_chronyc_network - - configure_firewalld_ports - - firewalld_sshd_port_enabled - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled - - package_firewalld_installed - - service_firewalld_enabled status: automated - id: RHEL-10-200560 levels: - medium title: RHEL 10 must have the USBGuard package installed. rules: - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-200561 levels: - medium title: RHEL 10 must have the USBGuard package enabled. rules: - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-200562 levels: - medium title: RHEL 10 must block unauthorized peripherals before establishing a connection. rules: - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - usbguard_generate_policy status: automated - id: RHEL-10-200563 @@ -422,174 +273,41 @@ controls: - medium title: RHEL 10 must enable audit logging for the USBGuard daemon. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_lastlog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated - id: RHEL-10-200570 levels: - medium title: RHEL 10 must have the "policycoreutils" package installed. rules: - - grub2_init_on_free - - grub2_page_poison_argument - - grub2_vsyscall_argument - package_policycoreutils_installed - - selinux_state status: automated - id: RHEL-10-200580 levels: - medium title: RHEL 10 must have the "policycoreutils-python-utils" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_policycoreutils-python-utils_installed status: automated - id: RHEL-10-200590 levels: - medium title: RHEL 10 must have the "sudo" package installed. rules: - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-200600 levels: - medium title: RHEL 10 must have the "fapolicy" module installed. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-200601 levels: - medium title: RHEL 10 must enable the "fapolicy" module. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - service_fapolicyd_enabled status: automated - id: RHEL-10-200602 @@ -599,98 +317,41 @@ controls: to allow the execution of authorized software programs. rules: - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-200610 levels: - medium title: RHEL 10 must have the "pcsc-lite" package installed. rules: - - install_smartcard_packages - - package_opensc_installed - - package_pcsc-lite-ccid_installed - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_certificate_verification - - sssd_enable_smartcards - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-200611 levels: - medium title: RHEL 10 must have the "pcscd" service set to active. rules: - - install_smartcard_packages - - package_opensc_installed - - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - service_pcscd_enabled - - sssd_certificate_verification - - sssd_enable_smartcards - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-200612 levels: - medium title: RHEL 10 must have the "pcsc-lite-ccid" package installed. rules: - - install_smartcard_packages - - package_opensc_installed - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_certificate_verification - - sssd_enable_smartcards - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-200620 levels: - medium title: RHEL 10 must have the "opensc" package installed. rules: - - install_smartcard_packages - package_opensc_installed - - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_certificate_verification - - sssd_enable_smartcards - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-200621 levels: - medium title: RHEL 10 must use the common access card (CAC) smart card driver. rules: - - account_unique_id - configure_opensc_card_drivers - - gid_passwd_group_same - - group_unique_id - - sshd_disable_empty_passwords - - sshd_disable_root_login - - sshd_enable_pubkey_auth - var_smartcard_drivers=cac status: automated - id: RHEL-10-200630 @@ -700,11 +361,6 @@ controls: installed. rules: - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing status: automated - id: RHEL-10-200631 levels: @@ -720,7 +376,7 @@ controls: title: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. rules: - - encrypt_partitions + - aide_use_fips_hashes status: automated - id: RHEL-10-200633 levels: @@ -734,7 +390,6 @@ controls: - aide_scan_notification - aide_use_fips_hashes - package_aide_installed - - package_s-nail_installed status: automated - id: RHEL-10-200634 levels: @@ -742,7 +397,7 @@ controls: title: RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). rules: - - encrypt_partitions + - aide_verify_acls status: automated - id: RHEL-10-200635 levels: @@ -750,32 +405,21 @@ controls: title: RHEL 10 must be configured so that the file integrity tool verifies extended attributes. rules: - - encrypt_partitions + - aide_verify_ext_attributes status: automated - id: RHEL-10-200640 levels: - medium title: RHEL 10 must have the "rsyslog" package installed. rules: - - auditd_freq - - auditd_name_format - - auditd_overflow_action - - package_audit_installed - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost - - service_auditd_enabled - - var_auditd_freq=100 status: automated - id: RHEL-10-200641 levels: - medium title: RHEL 10 must have the rsyslog service set to active. rules: - - package_audit_installed - - service_auditd_enabled + - service_rsyslog_enabled status: automated - id: RHEL-10-200642 levels: @@ -784,12 +428,6 @@ controls: Protocol (TCP) to a different system or media from the system being audited via rsyslog. rules: - - auditd_name_format - - auditd_overflow_action - - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - rsyslog_remote_loghost status: automated - id: RHEL-10-200643 @@ -798,10 +436,7 @@ controls: title: RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - rsyslog_nolisten status: automated - id: RHEL-10-200644 levels: @@ -809,14 +444,7 @@ controls: title: RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog". rules: - - auditd_name_format - - auditd_overflow_action - - package_audispd-plugins_installed - - package_rsyslog_installed - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost status: automated - id: RHEL-10-200645 levels: @@ -824,14 +452,7 @@ controls: title: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. rules: - - auditd_name_format - - auditd_overflow_action - - package_audispd-plugins_installed - - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost status: automated - id: RHEL-10-200646 levels: @@ -840,14 +461,7 @@ controls: off-loaded onto a different system or media from the system being audited via rsyslog. rules: - - auditd_name_format - - auditd_overflow_action - - package_audispd-plugins_installed - - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost status: automated - id: RHEL-10-200647 levels: @@ -855,15 +469,13 @@ controls: title: RHEL 10 must monitor all remote access methods. rules: - rsyslog_remote_access_monitoring - - sshd_set_loglevel_verbose status: automated - id: RHEL-10-200648 levels: - medium title: RHEL 10 must use cron logging. rules: - - package_audit_installed - - service_auditd_enabled + - rsyslog_cron_logging status: automated - id: RHEL-10-200650 levels: @@ -871,219 +483,35 @@ controls: title: RHEL 10 must have the packages required for encrypting off-loaded audit logs installed. rules: - - libreswan_approved_tunnels - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth status: automated - id: RHEL-10-200660 levels: - medium title: RHEL 10 must have the "audit" package installed. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_freq - - auditd_local_events - - auditd_log_format - - auditd_name_format - - configure_usbguard_auditbackend - - grub2_audit_argument - - grub2_audit_backlog_limit_argument - package_audit_installed - - package_rsyslog_installed - - service_auditd_enabled - - var_audit_backlog_limit=8192 - - var_auditd_freq=100 status: automated - id: RHEL-10-200661 levels: - medium title: RHEL 10 must enable the audit service. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_freq - - auditd_local_events - - auditd_log_format - - auditd_name_format - - configure_usbguard_auditbackend - - grub2_audit_argument - - grub2_audit_backlog_limit_argument - - package_audit_installed - - package_rsyslog_installed - service_auditd_enabled - - var_audit_backlog_limit=8192 - - var_auditd_freq=100 status: automated - id: RHEL-10-200662 levels: - low title: RHEL 10 must have the "audispd-plugins" package installed. rules: - - auditd_name_format - - auditd_overflow_action - package_audispd-plugins_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost status: automated - id: RHEL-10-200680 levels: - medium title: RHEL 10 must have the "libreswan" package installed. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth + - package_libreswan_installed status: automated - id: RHEL-10-200690 levels: @@ -1091,14 +519,7 @@ controls: title: RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner. rules: - - audit_rules_system_shutdown - - auditd_data_retention_action_mail_acct - package_postfix_installed - - postfix_client_configure_mail_alias - - postfix_client_configure_mail_alias_postmaster - - var_audit_failure_mode=panic - - var_auditd_action_mail_acct=root - - var_postfix_root_mail_alias=mil_sysadmin status: automated - id: RHEL-10-200691 levels: @@ -1107,13 +528,8 @@ controls: officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure. rules: - - audit_rules_system_shutdown - - auditd_data_retention_action_mail_acct - - package_postfix_installed - postfix_client_configure_mail_alias - postfix_client_configure_mail_alias_postmaster - - var_audit_failure_mode=panic - - var_auditd_action_mail_acct=root - var_postfix_root_mail_alias=mil_sysadmin status: automated - id: RHEL-10-200692 @@ -1121,20 +537,14 @@ controls: - medium title: RHEL 10 must be configured to prevent unrestricted mail relaying. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - postfix_prevent_unrestricted_relay status: automated - id: RHEL-10-200700 levels: - medium title: RHEL 10 must have the "cronie" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_cron_installed status: automated - id: RHEL-10-200720 levels: @@ -1142,12 +552,7 @@ controls: title: RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems. rules: - - configure_bind_crypto_policy - package_openssh-server_installed - - service_sshd_enabled - - ssh_client_rekey_limit - - sysctl_crypto_fips_enabled - - wireless_disable_interfaces status: automated - id: RHEL-10-200721 levels: @@ -1156,22 +561,14 @@ controls: (SSH) to protect the confidentiality and integrity of transmitted and received information. rules: - - configure_bind_crypto_policy - - package_openssh-server_installed - service_sshd_enabled - - ssh_client_rekey_limit - - sysctl_crypto_fips_enabled - - wireless_disable_interfaces status: automated - id: RHEL-10-200722 levels: - medium title: RHEL 10 must have the "openssh-clients" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_openssh-clients_installed status: automated - id: RHEL-10-200730 levels: @@ -1179,37 +576,20 @@ controls: title: RHEL 10 must have the "pkcs11-provider" package installed. rules: - install_smartcard_packages - - package_opensc_installed - - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - - service_pcscd_enabled - - sshd_enable_pubkey_auth - - sssd_certificate_verification - - sssd_enable_smartcards - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-200740 levels: - medium title: RHEL 10 must have the "gnutls-utils" package installed. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - package_gnutls-utils_installed status: automated - id: RHEL-10-300000 levels: - high title: RHEL 10 must have the "crypto-policies" package installed. rules: - - configure_crypto_policy - - enable_fips_mode - - fips_crypto_subpolicy - package_crypto-policies_installed - - sysctl_crypto_fips_enabled - - system_booted_in_fips_mode - - var_system_crypto_policy=fips status: automated - id: RHEL-10-300010 levels: @@ -1217,15 +597,6 @@ controls: title: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. rules: - configure_crypto_policy - - configure_libreswan_crypto_policy - - enable_fips_mode - - fips_crypto_subpolicy - - package_crypto-policies_installed - - sshd_rekey_limit - - sysctl_crypto_fips_enabled - - system_booted_in_fips_mode - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - var_system_crypto_policy=fips status: automated - id: RHEL-10-000500 @@ -1233,31 +604,9 @@ controls: - high title: RHEL 10 must enable FIPS mode. rules: - - aide_use_fips_hashes - - configure_bind_crypto_policy - - configure_crypto_policy - - configure_kerberos_crypto_policy - - configure_libreswan_crypto_policy - enable_fips_mode - - file_sshd_50_redhat_exists - - fips_crypto_subpolicy - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - - harden_sshd_macs_opensshserver_conf_crypto_policy - - package_crypto-policies_installed - - package_openssh-server_installed - - service_sshd_enabled - - sshd_approved_ciphers=stig_rhel9 - - sshd_approved_macs=stig_rhel9 - - sshd_enable_pam - - sshd_include_crypto_policy - - sshd_rekey_limit - sysctl_crypto_fips_enabled - system_booted_in_fips_mode - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - - var_system_crypto_policy=fips status: automated - id: RHEL-10-300030 levels: @@ -1266,26 +615,8 @@ controls: encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. rules: - - configure_bind_crypto_policy - - configure_crypto_policy - - configure_libreswan_crypto_policy - - file_sshd_50_redhat_exists - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - - harden_sshd_macs_opensshserver_conf_crypto_policy - - package_crypto-policies_installed - - package_openssh-server_installed - - service_sshd_enabled - - sshd_approved_ciphers=stig_rhel9 - - sshd_approved_macs=stig_rhel9 - - sshd_enable_pam - - sshd_include_crypto_policy - - sshd_rekey_limit - - sysctl_crypto_fips_enabled - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - - var_system_crypto_policy=fips + - sshd_approved_ciphers=stig_rhel10 status: automated - id: RHEL-10-300040 levels: @@ -1294,16 +625,8 @@ controls: encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. rules: - - file_sshd_50_redhat_exists - - harden_sshd_ciphers_openssh_conf_crypto_policy - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - - harden_sshd_macs_opensshserver_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel9 - - sshd_approved_macs=stig_rhel9 - - sshd_enable_pam - - sshd_include_crypto_policy - - sysctl_crypto_fips_enabled + - sshd_approved_ciphers=stig_rhel10 status: automated - id: RHEL-10-300050 levels: @@ -1312,16 +635,8 @@ controls: Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. rules: - - file_sshd_50_redhat_exists - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - harden_sshd_macs_openssh_conf_crypto_policy - - harden_sshd_macs_opensshserver_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel9 - - sshd_approved_macs=stig_rhel9 - - sshd_enable_pam - - sshd_include_crypto_policy - - sysctl_crypto_fips_enabled + - sshd_approved_macs=stig_rhel10 status: automated - id: RHEL-10-300060 levels: @@ -1330,16 +645,8 @@ controls: Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. rules: - - file_sshd_50_redhat_exists - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - harden_sshd_macs_opensshserver_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel9 - - sshd_approved_macs=stig_rhel9 - - sshd_enable_pam - - sshd_include_crypto_policy - - sysctl_crypto_fips_enabled + - sshd_approved_macs=stig_rhel10 status: automated - id: RHEL-10-300070 levels: @@ -1347,10 +654,6 @@ controls: title: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. rules: - configure_libreswan_crypto_policy - - sshd_rekey_limit - - sysctl_crypto_fips_enabled - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour status: automated - id: RHEL-10-300080 levels: @@ -1358,9 +661,6 @@ controls: title: RHEL 10 must implement DOD-approved encryption in the bind package. rules: - configure_bind_crypto_policy - - package_openssh-server_installed - - service_sshd_enabled - - sysctl_crypto_fips_enabled status: automated - id: RHEL-10-300090 levels: @@ -1368,11 +668,6 @@ controls: title: RHEL 10 cryptographic policy must not be overridden. rules: - configure_crypto_policy - - enable_fips_mode - - fips_crypto_subpolicy - - package_crypto-policies_installed - - sysctl_crypto_fips_enabled - - system_booted_in_fips_mode - var_system_crypto_policy=fips status: automated - id: RHEL-10-400000 @@ -1380,13 +675,7 @@ controls: - medium title: RHEL 10 must be configured so that the "/etc/group" file is owned by root. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_etc_group status: automated - id: RHEL-10-400005 levels: @@ -1394,26 +683,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_etc_group status: automated - id: RHEL-10-400010 levels: - medium title: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_backup_etc_group status: automated - id: RHEL-10-400015 levels: @@ -1421,26 +698,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_backup_etc_group status: automated - id: RHEL-10-400020 levels: - medium title: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_etc_gshadow status: automated - id: RHEL-10-400025 levels: @@ -1448,26 +713,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_etc_gshadow status: automated - id: RHEL-10-400030 levels: - medium title: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_backup_etc_gshadow status: automated - id: RHEL-10-400035 levels: @@ -1475,26 +728,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_backup_etc_gshadow status: automated - id: RHEL-10-400040 levels: - medium title: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_etc_passwd status: automated - id: RHEL-10-400045 levels: @@ -1502,26 +743,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_etc_passwd status: automated - id: RHEL-10-400050 levels: - medium title: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_backup_etc_passwd status: automated - id: RHEL-10-400055 levels: @@ -1529,26 +758,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_backup_etc_passwd status: automated - id: RHEL-10-400060 levels: - medium title: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_etc_shadow status: automated - id: RHEL-10-400065 levels: @@ -1556,26 +773,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_etc_shadow status: automated - id: RHEL-10-400070 levels: - medium title: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_backup_etc_shadow status: automated - id: RHEL-10-400075 levels: @@ -1583,30 +788,14 @@ controls: title: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_backup_etc_shadow status: automated - id: RHEL-10-400080 levels: - medium title: RHEL 10 must be configured so that the "/var/log" directory is owned by "root". rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400085 levels: @@ -1614,17 +803,7 @@ controls: title: RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root". rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400090 levels: @@ -1632,17 +811,7 @@ controls: title: RHEL 10 must be configured so that the "/var/log/"messages file is owned by root. rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400095 levels: @@ -1650,32 +819,14 @@ controls: title: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root". rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400100 levels: - medium title: RHEL 10 must be configured so that system commands are owned by "root". rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400105 levels: @@ -1683,30 +834,14 @@ controls: title: RHEL 10 must be configured so that system commands are group-owned by root or a system account. rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400110 levels: - medium title: RHEL 10 must be configured so that library files are owned by "root". rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400115 levels: @@ -1714,14 +849,6 @@ controls: title: RHEL 10 must be configured so that library files are group-owned by "root" or a system account. rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - root_permissions_syslibrary_files status: automated - id: RHEL-10-400120 @@ -1729,15 +856,7 @@ controls: - medium title: RHEL 10 must be configured so that library directories are owned by "root". rules: - - dir_group_ownership_library_dirs - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400125 levels: @@ -1746,14 +865,6 @@ controls: "root" or a system account. rules: - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400130 levels: @@ -1761,12 +872,13 @@ controls: title: RHEL 10 must be configured so that cron configuration file directories are owned by root. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - file_owner_cron_d + - file_owner_cron_daily + - file_owner_cron_hourly + - file_owner_cron_monthly + - file_owner_cron_weekly + - file_owner_crontab + - file_owner_cron_deny status: automated - id: RHEL-10-400135 levels: @@ -1774,13 +886,13 @@ controls: title: RHEL 10 must be configured so that cron configuration files directories are group-owned by root. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_cron_d + - file_groupowner_cron_daily + - file_groupowner_cron_hourly + - file_groupowner_cron_monthly + - file_groupowner_cron_weekly + - file_groupowner_crontab + - file_groupowner_cron_deny status: automated - id: RHEL-10-400140 levels: @@ -1789,9 +901,6 @@ controls: root, sys, bin, or an application user. rules: - dir_perms_world_writable_root_owned - - dir_perms_world_writable_sticky_bits - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_perf_event_paranoid status: automated - id: RHEL-10-400145 levels: @@ -1799,13 +908,7 @@ controls: title: RHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - selinux_all_devicefiles_labeled status: automated - id: RHEL-10-400150 levels: @@ -1813,13 +916,9 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_sshd_config + - directory_groupowner_sshd_config_d + - file_groupowner_sshd_drop_in_config status: automated - id: RHEL-10-400155 levels: @@ -1827,13 +926,13 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root". rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_sshd_50_redhat_exists + - file_owner_sshd_config + - directory_owner_sshd_config_d + - file_owner_sshd_drop_in_config + notes: > + TODO: investigate if file_sshd_50_redhat_exists is a convenience rule or a prerequisite + or if it's superfluous and should be removed. status: automated - id: RHEL-10-400160 levels: @@ -1841,17 +940,7 @@ controls: title: RHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - firewalld-backend - - grub2_admin_username - - grub2_password - - require_singleuser_auth - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - file_groupownership_home_directories status: automated - id: RHEL-10-400165 levels: @@ -1859,19 +948,7 @@ controls: title: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging group to prevent unauthorized read access. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400170 levels: @@ -1879,19 +956,7 @@ controls: title: RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized read access. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400175 levels: @@ -1899,19 +964,7 @@ controls: title: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400180 levels: @@ -1919,19 +972,7 @@ controls: title: RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log files to prevent unauthorized access. rules: - - audit_rules_immutable - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400185 levels: @@ -1939,19 +980,7 @@ controls: title: RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized access to the audit log. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400190 levels: @@ -1959,91 +988,49 @@ controls: title: RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_ownership_var_log_audit_stig - - file_permissions_var_log_audit status: automated - id: RHEL-10-400195 levels: - medium title: RHEL 10 must enforce root ownership of the "/etc/audit/" directory. rules: - - file_permissions_etc_audit_auditd - - file_permissions_etc_audit_rulesd + - file_ownership_audit_configuration status: automated - id: RHEL-10-400200 levels: - medium title: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. rules: - - file_permissions_etc_audit_auditd - - file_permissions_etc_audit_rulesd + - file_groupownership_audit_configuration status: automated - id: RHEL-10-400205 levels: - medium title: RHEL 10 must enforce mode "755" or less permissive for system commands. rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400210 levels: - medium title: RHEL 10 must enforce mode "755" or less permissive on library directories. rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400215 levels: - medium title: RHEL 10 must enforce mode "755" or less permissive for library files. rules: - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_ownership_library_dirs - - file_permissions_binary_dirs - file_permissions_library_dirs - - root_permissions_syslibrary_files status: automated - id: RHEL-10-400220 levels: - medium title: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - file_permissions_var_log - - file_permissions_var_log_audit - - file_permissions_var_log_messages status: automated - id: RHEL-10-400225 levels: @@ -2051,16 +1038,6 @@ controls: title: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file. rules: - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_groupowner_var_log - - file_groupowner_var_log_messages - - file_owner_var_log - - file_owner_var_log_messages - - file_ownership_var_log_audit_stig - - file_permissions_var_log - - file_permissions_var_log_audit - file_permissions_var_log_messages status: automated - id: RHEL-10-400230 @@ -2069,24 +1046,23 @@ controls: title: RHEL 10 must be configured to prohibit modification of permissions for cron configuration files and directories from the operating system defaults. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - file_permissions_cron_d + - file_permissions_cron_daily + - file_permissions_cron_hourly + - file_permissions_cron_monthly + - file_permissions_cron_weekly + - file_permissions_crontab status: automated + notes: > + TODO: STIG recommends to use rpm to verify that permissions match the operating system defaults. - id: RHEL-10-400235 levels: - medium title: RHEL 10 must enforce mode "0740" or less permissive for local initialization files. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles status: automated - id: RHEL-10-400240 levels: @@ -2094,13 +1070,7 @@ controls: title: RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_home_directories status: automated - id: RHEL-10-400245 levels: @@ -2108,13 +1078,7 @@ controls: title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_etc_group status: automated - id: RHEL-10-400250 levels: @@ -2122,13 +1086,7 @@ controls: title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_backup_etc_group status: automated - id: RHEL-10-400255 levels: @@ -2136,13 +1094,7 @@ controls: title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_etc_gshadow status: automated - id: RHEL-10-400260 levels: @@ -2150,13 +1102,7 @@ controls: title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_backup_etc_gshadow status: automated - id: RHEL-10-400265 levels: @@ -2164,13 +1110,7 @@ controls: title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_etc_passwd status: automated - id: RHEL-10-400270 levels: @@ -2178,13 +1118,7 @@ controls: title: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_backup_etc_passwd status: automated - id: RHEL-10-400275 levels: @@ -2192,23 +1126,14 @@ controls: title: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_backup_etc_shadow status: automated - id: RHEL-10-400280 levels: - medium title: RHEL 10 must be configured so that a sticky bit is set on all public directories. rules: - - dir_perms_world_writable_root_owned - dir_perms_world_writable_sticky_bits - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_perf_event_paranoid status: automated - id: RHEL-10-400285 levels: @@ -2216,13 +1141,7 @@ controls: title: RHEL 10 must be configured so that all local files and directories have a valid group owner. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_ungroupowned status: automated - id: RHEL-10-400290 levels: @@ -2230,13 +1149,7 @@ controls: title: RHEL 10 must be configured so that all local files and directories must have a valid owner. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - no_files_unowned_by_user status: automated - id: RHEL-10-400295 levels: @@ -2244,22 +1157,14 @@ controls: title: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_etc_shadow status: automated - id: RHEL-10-400300 levels: - medium title: RHEL 10 must be configured so that audit tools are owned by "root". rules: - - file_audit_tools_group_ownership - file_audit_tools_ownership - - file_audit_tools_permissions status: automated - id: RHEL-10-400305 levels: @@ -2267,8 +1172,6 @@ controls: title: RHEL 10 must be configured so that audit tools are group-owned by "root". rules: - file_audit_tools_group_ownership - - file_audit_tools_ownership - - file_audit_tools_permissions status: automated - id: RHEL-10-400310 levels: @@ -2276,39 +1179,24 @@ controls: title: RHEL 10 must set the umask value to "077" for all local interactive user accounts. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_umask_interactive_users + - var_accounts_user_umask=077 status: automated - id: RHEL-10-400315 levels: - medium title: RHEL 10 must define default permissions for the bash shell. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_umask_etc_bashrc + - var_accounts_user_umask=077 status: automated - id: RHEL-10-400320 levels: - medium title: RHEL 10 must define default permissions for the c shell. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_umask_etc_csh_cshrc + - var_accounts_user_umask=077 status: automated - id: RHEL-10-400325 levels: @@ -2316,26 +1204,16 @@ controls: title: RHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_umask_etc_login_defs + - var_accounts_user_umask=077 status: automated - id: RHEL-10-400330 levels: - medium title: RHEL 10 must define default permissions for the system default profile. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_umask_etc_profile + - var_accounts_user_umask=077 status: automated - id: RHEL-10-400335 levels: @@ -2343,13 +1221,7 @@ controls: title: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - rootfiles_configured status: automated - id: RHEL-10-400340 levels: @@ -2357,13 +1229,7 @@ controls: title: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_sshd_private_key status: automated - id: RHEL-10-400345 levels: @@ -2371,26 +1237,14 @@ controls: title: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_groupowner_grub2_cfg status: automated - id: RHEL-10-400350 levels: - medium title: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_owner_grub2_cfg status: automated - id: RHEL-10-400355 levels: @@ -2398,30 +1252,7 @@ controls: title: RHEL 10 must prevent device files from being interpreted on file systems that contain user home directories. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-400360 levels: @@ -2429,30 +1260,7 @@ controls: title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-400365 levels: @@ -2460,111 +1268,34 @@ controls: title: RHEL 10 must prevent code from being executed on file systems that contain user home directories. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_home_noexec status: automated - id: RHEL-10-400400 levels: - medium title: RHEL 10 must mount "/var/log/audit" with the "nodev" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-400405 levels: - medium title: RHEL 10 must mount "/var/log/audit" with the "noexec" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-400410 levels: - medium title: RHEL 10 must mount "/var/log/audit" with the "nosuid" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-400450 levels: - medium title: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. rules: - - file_audit_tools_group_ownership - - file_audit_tools_ownership - file_audit_tools_permissions status: automated - id: RHEL-10-400500 @@ -2573,10 +1304,7 @@ controls: title: RHEL 10 must prohibit local initialization files from executing world-writable programs. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - accounts_user_dot_no_world_writable_programs status: automated - id: RHEL-10-500000 levels: @@ -2590,120 +1318,28 @@ controls: - medium title: RHEL 10 must enable auditing of processes that start prior to the audit daemon. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - grub2_audit_argument status: automated - id: RHEL-10-500010 levels: - medium title: RHEL 10 must audit local events. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_lastlog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated - id: RHEL-10-500015 levels: - medium title: RHEL 10 must write audit records to disk. rules: - - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - file_group_ownership_var_log_audit - - file_ownership_var_log_audit_stig - - file_permissions_var_log_audit + - auditd_write_logs status: automated - id: RHEL-10-500020 levels: - medium title: RHEL 10 must log username information when unsuccessful login attempts occur. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-500025 levels: @@ -2721,89 +1357,7 @@ controls: title: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_audispd_configure_sufficiently_large_partition - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - grub2_audit_backlog_limit_argument - - package_audit_installed - - partition_for_var_log_audit - - service_auditd_enabled - var_audit_backlog_limit=8192 status: automated - id: RHEL-10-500035 @@ -2813,13 +1367,7 @@ controls: occurs. rules: - audit_rules_system_shutdown - - auditd_data_retention_action_mail_acct - - package_postfix_installed - - postfix_client_configure_mail_alias - - postfix_client_configure_mail_alias_postmaster - var_audit_failure_mode=panic - - var_auditd_action_mail_acct=root - - var_postfix_root_mail_alias=mil_sysadmin status: automated - id: RHEL-10-500040 levels: @@ -2827,14 +1375,8 @@ controls: title: RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of the audit record storage capacity. rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_admin_space_left_percentage - auditd_data_retention_space_left_action - auditd_data_retention_space_left_percentage - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - var_auditd_admin_space_left_percentage=5pc - var_auditd_space_left_action=email - var_auditd_space_left_percentage=25pc status: automated @@ -2845,15 +1387,7 @@ controls: log server. rules: - auditd_name_format - - auditd_overflow_action - - package_audispd-plugins_installed - - package_audit_installed - - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost - - service_auditd_enabled + - var_auditd_name_format=stig status: automated - id: RHEL-10-500100 levels: @@ -2862,16 +1396,7 @@ controls: week's worth of audit records. rules: - auditd_audispd_configure_sufficiently_large_partition - - auditd_name_format - - auditd_overflow_action - - grub2_audit_backlog_limit_argument - - package_audispd-plugins_installed - partition_for_var_log_audit - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost - - var_audit_backlog_limit=8192 status: automated - id: RHEL-10-500105 levels: @@ -2879,16 +1404,8 @@ controls: title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - auditd_data_retention_admin_space_left_percentage - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - var_auditd_admin_space_left_percentage=5pc - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc status: automated - id: RHEL-10-500110 levels: @@ -2896,30 +1413,15 @@ controls: title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. rules: - - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - - auditd_data_retention_admin_space_left_percentage - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - var_auditd_action_mail_acct=root - var_auditd_admin_space_left_action=single - - var_auditd_admin_space_left_percentage=5pc - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc status: automated - id: RHEL-10-500115 levels: - medium title: RHEL 10 must take appropriate action when the internal event queue is full. rules: - - auditd_name_format - auditd_overflow_action - - package_audispd-plugins_installed - - package_rsyslog_installed - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - rsyslog_encrypt_offload_defaultnetstreamdriver - - rsyslog_remote_loghost status: automated - id: RHEL-10-500120 levels: @@ -2928,8 +1430,6 @@ controls: identity of any individual or process associated with the event. rules: - auditd_log_format - - package_audit_installed - - service_auditd_enabled status: automated - id: RHEL-10-500125 levels: @@ -2938,9 +1438,6 @@ controls: records are not lost. rules: - auditd_freq - - package_audit_installed - - package_rsyslog_installed - - service_auditd_enabled - var_auditd_freq=100 status: automated - id: RHEL-10-500205 @@ -2950,14 +1447,8 @@ controls: security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_admin_space_left_percentage - auditd_data_retention_space_left_action - auditd_data_retention_space_left_percentage - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - var_auditd_admin_space_left_percentage=5pc - var_auditd_space_left_action=email - var_auditd_space_left_percentage=25pc status: automated @@ -2967,22 +1458,8 @@ controls: title: RHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure. rules: - - audit_rules_system_shutdown - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_admin_space_left_percentage - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - package_postfix_installed - - postfix_client_configure_mail_alias - - postfix_client_configure_mail_alias_postmaster - - var_audit_failure_mode=panic - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=single - - var_auditd_admin_space_left_percentage=5pc - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc - - var_postfix_root_mail_alias=mil_sysadmin status: automated - id: RHEL-10-500215 levels: @@ -2990,7 +1467,6 @@ controls: title: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server. rules: - - rsyslog_remote_access_monitoring - sshd_set_loglevel_verbose status: automated - id: RHEL-10-500300 @@ -2999,9 +1475,6 @@ controls: title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call. rules: - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - audit_rules_suid_privilege_function status: automated - id: RHEL-10-500310 @@ -3011,4010 +1484,428 @@ controls: of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_setxattr - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + status: automated +- id: RHEL-10-500320 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of "umount" system calls. + rules: + - audit_rules_privileged_commands_umount + status: automated +- id: RHEL-10-500330 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chacl" command. + rules: - audit_rules_execution_chacl + status: automated +- id: RHEL-10-500340 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setfacl" command. + rules: + - audit_rules_execution_setfacl + status: automated +- id: RHEL-10-500350 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chcon" command. + rules: - audit_rules_execution_chcon + status: automated +- id: RHEL-10-500360 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "semanage" command. + rules: - audit_rules_execution_semanage - - audit_rules_execution_setfacl + status: automated +- id: RHEL-10-500370 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setfiles" command. + rules: - audit_rules_execution_setfiles + status: automated +- id: RHEL-10-500380 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "setsebool" command. + rules: - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + status: automated +- id: RHEL-10-500390 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" + system calls. + rules: + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + status: automated +- id: RHEL-10-500400 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "delete_module" system call. + rules: - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit + status: automated +- id: RHEL-10-500410 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "init_module" and "finit_module" system calls. + rules: - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export + - audit_rules_kernel_module_loading_finit + status: automated +- id: RHEL-10-500420 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chage" command. + rules: - audit_rules_privileged_commands_chage + status: automated +- id: RHEL-10-500430 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "chsh" command. + rules: - audit_rules_privileged_commands_chsh + status: automated +- id: RHEL-10-500440 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "crontab" command. + rules: - audit_rules_privileged_commands_crontab + status: automated +- id: RHEL-10-500450 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "gpasswd" command. + rules: - audit_rules_privileged_commands_gpasswd + status: automated +- id: RHEL-10-500460 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "kmod" command. + rules: - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount + status: automated +- id: RHEL-10-500470 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "newgrp" command. + rules: - audit_rules_privileged_commands_newgrp + status: automated +- id: RHEL-10-500480 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "pam_timestamp_check" command. + rules: - audit_rules_privileged_commands_pam_timestamp_check + status: automated +- id: RHEL-10-500490 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "passwd" command. + rules: - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec + status: automated +- id: RHEL-10-500500 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "postdrop" command. + rules: - audit_rules_privileged_commands_postdrop + status: automated +- id: RHEL-10-500510 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "postqueue" command. + rules: - audit_rules_privileged_commands_postqueue + status: automated +- id: RHEL-10-500520 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the ssh-agent command. + rules: - audit_rules_privileged_commands_ssh_agent + status: automated +- id: RHEL-10-500530 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "ssh-keysign" command. + rules: - audit_rules_privileged_commands_ssh_keysign + status: automated +- id: RHEL-10-500540 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "su" command. + rules: - audit_rules_privileged_commands_su + status: automated +- id: RHEL-10-500550 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "sudo" command. + rules: - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500320 +- id: RHEL-10-500560 levels: - medium title: RHEL 10 must generate audit records for successful and unsuccessful uses - of "umount" system calls. + of the "sudoedit" command. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500330 +- id: RHEL-10-500570 levels: - medium title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chacl" command. + of the "unix_chkpwd" command. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - audit_rules_privileged_commands_unix_chkpwd + status: automated +- id: RHEL-10-500580 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "unix_update" command. + rules: - audit_rules_privileged_commands_unix_update + status: automated +- id: RHEL-10-500590 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "userhelper" command. + rules: - audit_rules_privileged_commands_userhelper + status: automated +- id: RHEL-10-500600 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "usermod" command. + rules: - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500340 +- id: RHEL-10-500610 levels: - medium title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setfacl" command. + of the "mount" command. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled + notes: > + Confusing requirement, probably a bug in the DISA STIG - title mentions the + "mount" command but the example audit rule in the check and fixtext isn't + an audit rule watching a command, instead it watches the mount syscall. + The selected rule audit_rules_media_export watches the syscall. If the + command should be watched, the rule audit_rules_privileged_commands_mount + should be selected instead. status: automated -- id: RHEL-10-500350 +- id: RHEL-10-500620 levels: - medium title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chcon" command. + of the "init" command. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500360 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "semanage" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500370 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setfiles" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500380 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setsebool" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500390 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" - system calls. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500400 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "delete_module" system call. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500410 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "init_module" and "finit_module" system calls. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500420 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chage" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500430 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chsh" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500440 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "crontab" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500450 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "gpasswd" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500460 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "kmod" command. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500470 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "newgrp" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500480 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "pam_timestamp_check" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500490 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "passwd" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500500 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "postdrop" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500510 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "postqueue" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500520 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the ssh-agent command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500530 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "ssh-keysign" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500540 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "su" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_suid_privilege_function - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500550 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "sudo" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_suid_privilege_function - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500560 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "sudoedit" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_suid_privilege_function - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500570 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "unix_chkpwd" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500580 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "unix_update" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500590 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "userhelper" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500600 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "usermod" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500610 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "mount" command. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500620 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "init" command. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_rmmod - status: automated -- id: RHEL-10-500630 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "poweroff" command. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_rmmod - status: automated -- id: RHEL-10-500640 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "reboot" command. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_rmmod - status: automated -- id: RHEL-10-500650 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the shutdown command. - rules: - - audit_privileged_commands_init - - audit_privileged_commands_poweroff - - audit_privileged_commands_reboot - - audit_privileged_commands_shutdown - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_rmmod - status: automated -- id: RHEL-10-500660 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "umount" system call. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500670 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "umount2" system call. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500680 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/sudoers". - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500690 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect the "/etc/sudoers.d/" directory. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500700 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/group". - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500710 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/gshadow". - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled - status: automated -- id: RHEL-10-500720 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/opasswd". - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled + - audit_privileged_commands_init status: automated -- id: RHEL-10-500730 +- id: RHEL-10-500630 levels: - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/passwd". - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "poweroff" command. + rules: + - audit_privileged_commands_poweroff status: automated -- id: RHEL-10-500740 +- id: RHEL-10-500640 levels: - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/shadow". + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "reboot" command. + rules: + - audit_privileged_commands_reboot + status: automated +- id: RHEL-10-500650 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the shutdown command. + rules: + - audit_privileged_commands_shutdown + status: automated +- id: RHEL-10-500660 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "umount" system call. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - audit_rules_dac_modification_umount + status: automated +- id: RHEL-10-500670 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses + of the "umount2" system call. + rules: - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500750 +- id: RHEL-10-500680 levels: - medium title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/var/log/faillock". + disabling, and termination events that affect "/etc/sudoers". rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500760 +- id: RHEL-10-500690 levels: - medium title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/var/log/lastlog". + disabling, and termination events that affect the "/etc/sudoers.d/" directory. rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat + status: automated +- id: RHEL-10-500700 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/group". + rules: - audit_rules_usergroup_modification_group + status: automated +- id: RHEL-10-500710 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/gshadow". + rules: - audit_rules_usergroup_modification_gshadow + status: automated +- id: RHEL-10-500720 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/opasswd". + rules: - audit_rules_usergroup_modification_opasswd + status: automated +- id: RHEL-10-500730 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/passwd". + rules: - audit_rules_usergroup_modification_passwd + status: automated +- id: RHEL-10-500740 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/etc/shadow". + rules: - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500780 +- id: RHEL-10-500750 levels: - medium - title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", - "fchmodat", and "fchmodat2" syscalls. + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/var/log/faillock". rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - audit_rules_login_events_faillock + status: automated +- id: RHEL-10-500760 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, + disabling, and termination events that affect "/var/log/lastlog". + rules: - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500790 +- id: RHEL-10-500780 levels: - medium - title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", - "fchownat", and "lchown" syscalls. + title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", + "fchmodat", and "fchmodat2" syscalls. rules: - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchmodat2 - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled status: automated -- id: RHEL-10-500810 +- id: RHEL-10-500790 levels: - medium - title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", - "rmdir", "renameat", "renameat2", and "unlinkat" system calls. + title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", + "fchownat", and "lchown" syscalls. rules: - - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_execution_chacl - - audit_rules_execution_chcon - - audit_rules_execution_semanage - - audit_rules_execution_setfacl - - audit_rules_execution_setfiles - - audit_rules_execution_setsebool - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_pkexec - - audit_rules_privileged_commands_postdrop - - audit_rules_privileged_commands_postqueue - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_sudoedit - - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix_update - - audit_rules_privileged_commands_userhelper - - audit_rules_privileged_commands_usermod - - audit_rules_sudoers - - audit_rules_sudoers_d - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - auditd_local_events - - configure_usbguard_auditbackend - - grub2_audit_argument - - package_audit_installed - - service_auditd_enabled + status: automated +- id: RHEL-10-500810 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", + "rmdir", "renameat", "renameat2", and "unlinkat" system calls. + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_unlinkat status: automated - id: RHEL-10-600000 levels: - medium title: RHEL 10 must require a boot loader superuser password. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - grub2_password - - require_singleuser_auth status: automated - id: RHEL-10-600010 levels: @@ -7022,25 +1913,14 @@ controls: title: RHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - grub2_admin_username - - grub2_password - - require_singleuser_auth status: automated - id: RHEL-10-600020 levels: - medium title: RHEL 10 must not assign an interactive login shell for system accounts. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - no_shelllogin_for_systemaccounts status: automated - id: RHEL-10-600100 levels: @@ -7049,7 +1929,6 @@ controls: lifetime restriction for user account passwords in "/etc/login.defs". rules: - accounts_maximum_age_login_defs - - accounts_password_set_max_life_existing - var_accounts_maximum_age_login_defs=60 status: automated - id: RHEL-10-600110 @@ -7058,7 +1937,6 @@ controls: title: RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction. rules: - - accounts_maximum_age_login_defs - accounts_password_set_max_life_existing - var_accounts_maximum_age_login_defs=60 status: automated @@ -7068,10 +1946,7 @@ controls: title: RHEL 10 must assign a home directory for local interactive user accounts upon creation. rules: - - bios_enable_execution_restrictions - - grub2_init_on_free - - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict + - accounts_have_homedir_login_defs status: automated - id: RHEL-10-600130 levels: @@ -7080,8 +1955,6 @@ controls: users. rules: - account_unique_id - - gid_passwd_group_same - - group_unique_id status: automated - id: RHEL-10-600140 levels: @@ -7095,9 +1968,7 @@ controls: - medium title: RHEL 10 must assign a primary group to all interactive users. rules: - - account_unique_id - gid_passwd_group_same - - group_unique_id status: automated - id: RHEL-10-600160 levels: @@ -7106,6 +1977,7 @@ controls: devices) after 35 days of inactivity. rules: - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 status: automated - id: RHEL-10-600170 levels: @@ -7113,18 +1985,16 @@ controls: title: RHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories. - rules: [] - status: pending + rules: + - accounts_user_home_paths_only + status: automated - id: RHEL-10-600180 levels: - medium title: RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" file. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - accounts_user_interactive_home_directory_defined status: automated - id: RHEL-10-600190 levels: @@ -7132,10 +2002,7 @@ controls: title: RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" file must exist. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - accounts_user_interactive_home_directory_exists status: automated - id: RHEL-10-600200 levels: @@ -7143,13 +2010,8 @@ controls: title: RHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt. rules: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never + - accounts_logon_fail_delay + - var_accounts_fail_delay=4 status: automated - id: RHEL-10-600210 levels: @@ -7158,7 +2020,6 @@ controls: passwords for new users or password changes in "/etc/login.defs". rules: - accounts_minimum_age_login_defs - - accounts_password_set_min_life_existing - var_accounts_minimum_age_login_defs=1 status: automated - id: RHEL-10-600220 @@ -7166,7 +2027,6 @@ controls: - medium title: RHEL 10 must enforce that passwords be created with a minimum of 15 characters. rules: - - accounts_password_pam_enforce_root - accounts_password_pam_minlen - var_password_pam_minlen=15 status: automated @@ -7176,7 +2036,6 @@ controls: title: RHEL 10 must enforce password complexity by requiring at least one special character to be used. rules: - - accounts_password_pam_enforce_root - accounts_password_pam_ocredit - var_password_pam_ocredit=1 status: automated @@ -7186,7 +2045,6 @@ controls: title: RHEL 10 must enforce password complexity by requiring that at least one lowercase character be used. rules: - - accounts_password_pam_enforce_root - accounts_password_pam_lcredit - var_password_pam_lcredit=1 status: automated @@ -7196,14 +2054,7 @@ controls: title: RHEL 10 must enforce password complexity by requiring that at least one uppercase character be used. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_lcredit - - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - accounts_password_pam_ucredit - - var_password_pam_lcredit=1 - - var_password_pam_retry=3 - var_password_pam_ucredit=1 status: automated - id: RHEL-10-600260 @@ -7213,14 +2064,7 @@ controls: are changed. rules: - accounts_password_pam_difok - - accounts_password_pam_enforce_root - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - - accounts_password_pam_minclass - var_password_pam_difok=8 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_maxrepeat=3 - - var_password_pam_minclass=4 status: automated - id: RHEL-10-600270 levels: @@ -7228,7 +2072,6 @@ controls: title: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in "/etc/shadow". rules: - - accounts_minimum_age_login_defs - accounts_password_set_min_life_existing - var_accounts_minimum_age_login_defs=1 status: automated @@ -7238,20 +2081,8 @@ controls: title: RHEL 10 must require the maximum number of repeating characters of the same character class to be limited to four when passwords are changed. rules: - - accounts_password_pam_dictcheck - - accounts_password_pam_difok - - accounts_password_pam_enforce_root - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - - accounts_password_pam_minclass - - var_password_pam_dictcheck=1 - - var_password_pam_difok=8 - var_password_pam_maxclassrepeat=4 - - var_password_pam_maxrepeat=3 - - var_password_pam_minclass=4 - - var_password_pam_remember=5 - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-600290 levels: @@ -7259,15 +2090,8 @@ controls: title: RHEL 10 must require that the maximum number of repeating characters be limited to three when passwords are changed. rules: - - accounts_password_pam_difok - - accounts_password_pam_enforce_root - - accounts_password_pam_maxclassrepeat - accounts_password_pam_maxrepeat - - accounts_password_pam_minclass - - var_password_pam_difok=8 - - var_password_pam_maxclassrepeat=4 - var_password_pam_maxrepeat=3 - - var_password_pam_minclass=4 status: automated - id: RHEL-10-600300 levels: @@ -7275,14 +2099,7 @@ controls: title: RHEL 10 must require the change of at least four character classes when passwords are changed. rules: - - accounts_password_pam_difok - - accounts_password_pam_enforce_root - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - accounts_password_pam_minclass - - var_password_pam_difok=8 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 status: automated - id: RHEL-10-600310 @@ -7292,7 +2109,6 @@ controls: character be used. rules: - accounts_password_pam_dcredit - - accounts_password_pam_enforce_root - var_password_pam_dcredit=1 status: automated - id: RHEL-10-600320 @@ -7301,15 +2117,6 @@ controls: title: RHEL 10 must prevent the use of dictionary words for passwords. rules: - accounts_password_pam_dictcheck - - accounts_password_pam_difok - - accounts_password_pam_enforce_root - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - - accounts_password_pam_minclass - - var_password_pam_difok=8 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_maxrepeat=3 - - var_password_pam_minclass=4 status: automated - id: RHEL-10-600400 levels: @@ -7317,43 +2124,14 @@ controls: title: RHEL 10 must allow only the root account to have unrestricted access to the system. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_no_uid_except_zero status: automated - id: RHEL-10-600405 levels: - medium title: RHEL 10 must enforce password complexity rules for the "root" account. rules: - - accounts_password_pam_dcredit - - accounts_password_pam_dictcheck - - accounts_password_pam_difok - accounts_password_pam_enforce_root - - accounts_password_pam_lcredit - - accounts_password_pam_maxclassrepeat - - accounts_password_pam_maxrepeat - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_ocredit - - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - - var_password_pam_dcredit=1 - - var_password_pam_difok=8 - - var_password_pam_lcredit=1 - - var_password_pam_maxclassrepeat=4 - - var_password_pam_maxrepeat=3 - - var_password_pam_minclass=4 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - - var_password_pam_retry=3 - - var_password_pam_ucredit=1 status: automated - id: RHEL-10-600410 levels: @@ -7361,19 +2139,8 @@ controls: title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600415 levels: @@ -7382,19 +2149,7 @@ controls: released by an administrator when three unsuccessful login attempts occur during a 15-minute time period. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600420 levels: @@ -7402,19 +2157,8 @@ controls: title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600425 levels: @@ -7422,18 +2166,7 @@ controls: title: RHEL 10 must maintain an account lock until the locked account is released by an administrator. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600430 @@ -7441,66 +2174,37 @@ controls: - medium title: RHEL 10 must ensure account lockouts persist. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600450 levels: - medium title: RHEL 10 must not have unauthorized accounts. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - accounts_authorized_local_users + - var_accounts_authorized_local_users_regex=rhel9 status: automated + notes: > + TODO: create a RHEL 10 option in the var_accounts_authorized_local_users_regex variable - id: RHEL-10-600455 levels: - medium title: RHEL 10 must not allow blank or null passwords. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - - var_password_pam_retry=3 - - var_password_pam_ucredit=1 + - no_empty_passwords status: automated - id: RHEL-10-600460 levels: - medium title: RHEL 10 must not have accounts configured with blank or null passwords. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - - var_password_pam_retry=3 - - var_password_pam_ucredit=1 + - no_empty_passwords_etc_shadow status: automated - id: RHEL-10-600470 levels: - medium title: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". rules: - - account_unique_id - - gid_passwd_group_same - group_unique_id status: automated - id: RHEL-10-600475 @@ -7518,23 +2222,14 @@ controls: title: RHEL 10 must ensure the password complexity module in the system-auth file is configured for three or fewer retries. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_pwquality_password_auth - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - var_password_pam_retry=3 - - var_password_pam_ucredit=1 status: automated - id: RHEL-10-600500 levels: - medium title: RHEL 10 must restrict the use of the "su" command. rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - use_pam_wheel_for_su status: automated - id: RHEL-10-600510 @@ -7544,38 +2239,28 @@ controls: escalation. rules: - disallow_bypass_password_sudo - - sudo_remove_no_authenticate - - sudo_remove_nopasswd status: automated - id: RHEL-10-600520 levels: - medium title: RHEL 10 must restrict privilege elevation to authorized personnel. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sudo_restrict_privilege_elevation_to_authorized status: automated - id: RHEL-10-600530 levels: - medium title: RHEL 10 must require users to reauthenticate for privilege escalation. rules: - - disallow_bypass_password_sudo - sudo_remove_no_authenticate - - sudo_remove_nopasswd status: automated - id: RHEL-10-600540 levels: - medium title: RHEL 10 must require reauthentication when using the "sudo" command. rules: - - disallow_bypass_password_sudo - - sudo_remove_no_authenticate - - sudo_remove_nopasswd + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-600550 levels: @@ -7583,16 +2268,13 @@ controls: title: RHEL 10 must use the invoking user's password for privilege escalation when using "sudo". rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd + - sudoers_validate_passwd status: automated - id: RHEL-10-600560 levels: - high title: RHEL 10 must require users to provide a password for privilege escalation. rules: - - disallow_bypass_password_sudo - - sudo_remove_no_authenticate - sudo_remove_nopasswd status: automated - id: RHEL-10-600600 @@ -7601,19 +2283,7 @@ controls: title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" file. rules: - - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600610 levels: @@ -7622,18 +2292,6 @@ controls: file. rules: - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-600620 levels: @@ -7641,15 +2299,7 @@ controls: title: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_lcredit - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - - var_password_pam_lcredit=1 - - var_password_pam_retry=3 - - var_password_pam_ucredit=1 status: automated - id: RHEL-10-600630 levels: @@ -7657,13 +2307,7 @@ controls: title: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file. rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_pwquality_password_auth - - accounts_password_pam_pwquality_retry - accounts_password_pam_pwquality_system_auth - - accounts_password_pam_ucredit - - var_password_pam_retry=3 - - var_password_pam_ucredit=1 status: automated - id: RHEL-10-600640 levels: @@ -7672,7 +2316,6 @@ controls: SSHD. rules: - sshd_enable_pam - - sysctl_crypto_fips_enabled status: automated - id: RHEL-10-600650 levels: @@ -7680,15 +2323,8 @@ controls: title: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-600700 levels: @@ -7696,14 +2332,7 @@ controls: title: RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_algorithm_pam=sha512 + - accounts_password_pam_unix_rounds_system_auth - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-600710 @@ -7713,15 +2342,8 @@ controls: algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-600720 levels: @@ -7729,14 +2351,7 @@ controls: title: RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_algorithm_pam=sha512 + - accounts_password_pam_unix_rounds_password_auth - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-600730 @@ -7745,15 +2360,7 @@ controls: title: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords. rules: - - libreswan_approved_tunnels - - package_rsyslog-gnutls_installed - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_unix_rounds=100000 + - accounts_password_all_shadowed_sha512 status: automated - id: RHEL-10-600740 levels: @@ -7761,13 +2368,8 @@ controls: title: RHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords. rules: - - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_unix_rounds=100000 + - var_password_hashing_algorithm=SHA512 status: automated - id: RHEL-10-600750 levels: @@ -7776,12 +2378,7 @@ controls: utilities are configured to store only encrypted representations of passwords. rules: - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_systemauth - - set_password_hashing_min_rounds_logindefs - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_unix_rounds=100000 status: automated - id: RHEL-10-700010 levels: @@ -7790,13 +2387,7 @@ controls: before granting local or remote access to the system via a Secure Shell (SSH) login. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - sshd_enable_warning_banner status: automated - id: RHEL-10-700020 levels: @@ -7804,10 +2395,9 @@ controls: title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login. rules: - - banner_etc_issue - - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - sshd_enable_warning_banner + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default status: automated - id: RHEL-10-700030 levels: @@ -7815,10 +2405,7 @@ controls: title: RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. rules: - - banner_etc_issue - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - sshd_enable_warning_banner status: automated - id: RHEL-10-700040 levels: @@ -7827,9 +2414,8 @@ controls: before granting local or remote access to the system via a command line user login. rules: - banner_etc_issue - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - sshd_enable_warning_banner + - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: RHEL-10-700100 levels: @@ -7837,13 +2423,7 @@ controls: title: RHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS). rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_nodev_remote_filesystems status: automated - id: RHEL-10-700105 levels: @@ -7851,13 +2431,7 @@ controls: title: RHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS). rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_noexec_remote_filesystems status: automated - id: RHEL-10-700110 levels: @@ -7865,13 +2439,7 @@ controls: title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS). rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_nosuid_remote_filesystems status: automated - id: RHEL-10-700115 levels: @@ -7879,43 +2447,14 @@ controls: title: RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_krb_sec_remote_filesystems status: automated - id: RHEL-10-700120 levels: - medium title: RHEL 10 must mount "/boot" with the "nodev" option. rules: - - fapolicy_default_deny - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700125 levels: @@ -7923,30 +2462,7 @@ controls: title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700130 levels: @@ -7954,445 +2470,113 @@ controls: title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - mount_option_boot_efi_nosuid status: automated - id: RHEL-10-700135 levels: - medium title: RHEL 10 must mount "/dev/shm" with the "nodev" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700140 levels: - medium title: RHEL 10 must mount "/dev/shm" with the "noexec" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700145 levels: - medium title: RHEL 10 must mount "/dev/shm" with the "nosuid" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700150 levels: - medium title: RHEL 10 must mount "/tmp" with the "nodev" option. - rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled + rules: + - mount_option_tmp_nodev status: automated - id: RHEL-10-700155 levels: - medium title: RHEL 10 must mount "/tmp" with the "noexec" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700160 levels: - medium title: RHEL 10 must mount "/tmp" with the "nosuid" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700165 levels: - medium title: RHEL 10 must mount "/var" with the "nodev" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700170 levels: - medium title: RHEL 10 must mount "/var/log" with the "nodev" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700175 levels: - medium title: RHEL 10 must mount "/var/log" with the "noexec" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700180 levels: - medium title: RHEL 10 must mount "/var/log" with the "nosuid" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700185 levels: - medium title: RHEL 10 must mount "/var/tmp" with the "nodev" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700190 levels: - medium title: RHEL 10 must mount "/var/tmp" with the "noexec" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700195 levels: - medium title: RHEL 10 must mount "/var/tmp" with the "nosuid" option. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700200 levels: - medium title: RHEL 10 must prevent special devices on nonroot local partitions. rules: - - fapolicy_default_deny - - mount_option_boot_nodev - - mount_option_boot_nosuid - - mount_option_dev_shm_nodev - - mount_option_dev_shm_noexec - - mount_option_dev_shm_nosuid - - mount_option_home_nodev - - mount_option_home_nosuid - mount_option_nodev_nonroot_local_partitions - - mount_option_tmp_nodev - - mount_option_tmp_noexec - - mount_option_tmp_nosuid - - mount_option_var_log_audit_nodev - - mount_option_var_log_audit_noexec - - mount_option_var_log_audit_nosuid - - mount_option_var_log_nodev - - mount_option_var_log_noexec - - mount_option_var_log_nosuid - - mount_option_var_nodev - - mount_option_var_tmp_nodev - - mount_option_var_tmp_noexec - - mount_option_var_tmp_nosuid - - package_fapolicyd_installed - - service_fapolicyd_enabled status: automated - id: RHEL-10-700400 levels: - medium title: RHEL 10 must enable the SELinux targeted policy. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - selinux_policytype - - selinux_state - var_selinux_policy_name=targeted - - var_selinux_state=enforcing status: automated - id: RHEL-10-700410 levels: @@ -8400,33 +2584,15 @@ controls: title: RHEL 10 must elevate the SELinux context when an administrator calls the sudo command. rules: - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - var_sudo_timestamp_timeout=always_prompt + - selinux_context_elevation_for_sudo status: automated - id: RHEL-10-700420 levels: - medium title: RHEL 10 must use a Linux Security Module configured to enforce limits on system services. - rules: - - grub2_init_on_free - - grub2_page_poison_argument - - grub2_vsyscall_argument - - package_aide_installed - - package_policycoreutils_installed - - selinux_context_elevation_for_sudo - - selinux_policytype + rules: - selinux_state - - var_selinux_policy_name=targeted - var_selinux_state=enforcing status: automated - id: RHEL-10-700430 @@ -8435,19 +2601,7 @@ controls: title: RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - account_password_selinux_faillock_dir - - accounts_passwords_pam_faillock_audit - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - - audit_rules_login_events_faillock - - var_accounts_passwords_pam_faillock_deny=3 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=never status: automated - id: RHEL-10-700500 levels: @@ -8455,39 +2609,31 @@ controls: title: RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - file_permissions_sshd_pub_key status: automated - id: RHEL-10-700510 levels: - medium title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication. - rules: [] - status: pending + rules: + - sshd_disable_gssapi_auth + status: automated - id: RHEL-10-700520 levels: - medium title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication. - rules: [] - status: pending + rules: + - sshd_disable_kerb_auth + status: automated - id: RHEL-10-700530 levels: - medium title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_disable_rhosts status: automated - id: RHEL-10-700540 levels: @@ -8495,12 +2641,7 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_disable_user_known_hosts status: automated - id: RHEL-10-700550 levels: @@ -8508,12 +2649,7 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_disable_x11_forwarding status: automated - id: RHEL-10-700560 levels: @@ -8521,12 +2657,7 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_enable_strictmodes status: automated - id: RHEL-10-700570 levels: @@ -8534,12 +2665,7 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_print_last_log status: automated - id: RHEL-10-700580 levels: @@ -8547,12 +2673,7 @@ controls: title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - sshd_x11_use_localhost status: automated - id: RHEL-10-700590 levels: @@ -8560,38 +2681,25 @@ controls: title: RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - file_permissions_sshd_config + - directory_permissions_sshd_config_d + - file_permissions_sshd_drop_in_config + notes: > + TODO: STIG recommends to use rpm to verify the permissions. status: automated - id: RHEL-10-700600 levels: - medium title: RHEL 10 must be configured so that SSHD accepts public key authentication. rules: - - configure_opensc_card_drivers - - install_smartcard_packages - - sshd_disable_empty_passwords - sshd_enable_pubkey_auth - - sssd_enable_smartcards - - var_smartcard_drivers=cac status: automated - id: RHEL-10-700610 levels: - medium title: RHEL 10 must be configured so that SSHD does not allow blank passwords. rules: - - configure_opensc_card_drivers - - disable_host_auth - - gnome_gdm_disable_automatic_login - sshd_disable_empty_passwords - - sshd_do_not_permit_user_env - - sshd_enable_pubkey_auth - - var_smartcard_drivers=cac status: automated - id: RHEL-10-700620 levels: @@ -8599,7 +2707,6 @@ controls: title: RHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH). rules: - - configure_opensc_card_drivers - sshd_disable_root_login status: automated - id: RHEL-10-700630 @@ -8608,23 +2715,14 @@ controls: title: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - disable_host_auth status: automated - id: RHEL-10-700640 levels: - high title: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - sshd_do_not_permit_user_env status: automated - id: RHEL-10-700650 levels: @@ -8632,16 +2730,9 @@ controls: title: RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections to the server. rules: - - configure_bind_crypto_policy - - configure_libreswan_crypto_policy - - package_openssh-server_installed - - service_sshd_enabled - - ssh_client_rekey_limit - sshd_rekey_limit - - sysctl_crypto_fips_enabled - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - - wireless_disable_interfaces status: automated - id: RHEL-10-700660 levels: @@ -8649,11 +2740,7 @@ controls: title: RHEL 10 must be configured so that all network connections associated with Secure Shell (SSH) traffic terminate after becoming unresponsive. rules: - - accounts_tmout - - logind_session_timeout - - sshd_set_idle_timeout - sshd_set_keepalive - - var_accounts_tmout=15_min - var_sshd_set_keepalive=1 status: automated - id: RHEL-10-700670 @@ -8662,40 +2749,21 @@ controls: title: RHEL 10 must forward mail from postmaster to the root account using a postfix alias. rules: - - audit_rules_system_shutdown - - auditd_data_retention_action_mail_acct - - package_postfix_installed - - postfix_client_configure_mail_alias - postfix_client_configure_mail_alias_postmaster - - var_audit_failure_mode=panic - - var_auditd_action_mail_acct=root - - var_postfix_root_mail_alias=mil_sysadmin status: automated - id: RHEL-10-700680 levels: - medium title: RHEL 10 must not have a "shosts.equiv" file on the system. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - no_host_based_files status: automated - id: RHEL-10-700690 levels: - medium title: RHEL 10 must not have any ".shosts" files on the system. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - no_user_host_based_files status: automated - id: RHEL-10-700700 levels: @@ -8704,12 +2772,6 @@ controls: user interface automount function. rules: - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-700710 levels: @@ -8717,13 +2779,7 @@ controls: title: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function. rules: - - dconf_gnome_disable_automount_open - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-700720 levels: @@ -8731,13 +2787,7 @@ controls: title: RHEL 10 must not allow unattended or automatic login via the graphical user interface. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - gnome_gdm_disable_automatic_login status: automated - id: RHEL-10-700730 levels: @@ -8746,8 +2796,6 @@ controls: user smart card removal action. rules: - dconf_gnome_lock_screen_on_smartcard_removal - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_lock_locked status: automated - id: RHEL-10-700740 levels: @@ -8755,7 +2803,6 @@ controls: title: RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. rules: - - dconf_gnome_lock_screen_on_smartcard_removal - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_lock_locked status: automated @@ -8766,12 +2813,7 @@ controls: of inactivity. rules: - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_mode_blank - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds status: automated - id: RHEL-10-700760 levels: @@ -8779,13 +2821,7 @@ controls: title: RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface. rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_mode_blank - - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds status: automated - id: RHEL-10-700770 levels: @@ -8793,12 +2829,7 @@ controls: title: RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated. rules: - - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_mode_blank - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds status: automated - id: RHEL-10-700780 @@ -8807,13 +2838,7 @@ controls: title: RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface. rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_mode_blank - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds status: automated - id: RHEL-10-700790 levels: @@ -8828,13 +2853,7 @@ controls: - medium title: RHEL 10 must ensure effective dconf policy matches the policy keyfiles. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - dconf_db_up_to_date status: automated - id: RHEL-10-700810 levels: @@ -8842,12 +2861,7 @@ controls: title: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. rules: - - package_aide_installed - - selinux_context_elevation_for_sudo - - selinux_policytype - - selinux_state - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing + - dconf_gnome_disable_restart_shutdown status: automated - id: RHEL-10-700820 levels: @@ -8855,10 +2869,7 @@ controls: title: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - dconf_gnome_disable_ctrlaltdel_reboot status: automated - id: RHEL-10-700830 levels: @@ -8866,33 +2877,21 @@ controls: title: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - disable_ctrlaltdel_reboot status: automated - id: RHEL-10-700840 levels: - medium title: RHEL 10 must disable the user list at login for graphical user interfaces. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - dconf_gnome_disable_user_list status: automated - id: RHEL-10-700850 levels: - medium title: RHEL 10 must be configured to disable USB mass storage. rules: - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-700860 levels: @@ -8900,20 +2899,12 @@ controls: title: RHEL 10 must disable Bluetooth. rules: - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled - - wireless_disable_interfaces status: automated - id: RHEL-10-700870 levels: - medium title: RHEL 10 must disable wireless network adapters. rules: - - kernel_module_bluetooth_disabled - - package_openssh-server_installed - - service_sshd_enabled - - ssh_client_rekey_limit - wireless_disable_interfaces status: automated - id: RHEL-10-700880 @@ -8922,25 +2913,13 @@ controls: title: RHEL 10 must disable the graphical user interface automounter unless required. rules: - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-700890 levels: - low title: RHEL 10 must disable the graphical user interface autorunner unless required. rules: - - dconf_gnome_disable_automount_open - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-700900 levels: @@ -8949,9 +2928,6 @@ controls: code execution. rules: - bios_enable_execution_restrictions - - grub2_init_on_free - - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict status: automated - id: RHEL-10-700920 levels: @@ -8960,17 +2936,7 @@ controls: 15 minutes of inactivity. rules: - accounts_tmout - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - - inactivity_timeout_value=15_minutes - - logind_session_timeout - - sshd_set_idle_timeout - - sshd_set_keepalive - var_accounts_tmout=15_min - - var_screensaver_lock_delay=5_seconds - - var_sshd_set_keepalive=1 status: automated - id: RHEL-10-700930 levels: @@ -8978,22 +2944,15 @@ controls: title: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon. rules: - - accounts_tmout - - logind_session_timeout - sshd_set_idle_timeout - - sshd_set_keepalive - - var_accounts_tmout=15_min - - var_sshd_set_keepalive=1 + - sshd_idle_timeout_value=10_minutes status: automated - id: RHEL-10-700940 levels: - medium title: RHEL 10 must not default to the graphical display manager unless approved. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - xwindows_runlevel_target status: automated - id: RHEL-10-700950 levels: @@ -9001,33 +2960,13 @@ controls: title: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. rules: - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-700960 levels: - high title: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. rules: - - disable_ctrlaltdel_burstaction - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-700980 levels: @@ -9035,32 +2974,21 @@ controls: title: RHEL 10 must disable the ability of systemd to spawn an interactive boot process. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - grub2_disable_interactive_boot status: automated - id: RHEL-10-700990 levels: - medium title: RHEL 10 must disable virtual system calls. rules: - - grub2_init_on_free - - grub2_page_poison_argument - grub2_vsyscall_argument - - package_policycoreutils_installed - - selinux_state status: automated - id: RHEL-10-701000 levels: - medium title: RHEL 10 must clear the page allocator to prevent use-after-free attacks. rules: - - grub2_init_on_free - grub2_page_poison_argument - - grub2_vsyscall_argument - - package_policycoreutils_installed - - selinux_state status: automated - id: RHEL-10-701010 levels: @@ -9068,10 +2996,6 @@ controls: title: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. rules: - grub2_init_on_free - - grub2_page_poison_argument - - grub2_vsyscall_argument - - package_policycoreutils_installed - - selinux_state status: automated - id: RHEL-10-701020 levels: @@ -9079,30 +3003,19 @@ controls: title: RHEL 10 must enable mitigations against processor-based vulnerabilities. rules: - grub2_pti_argument - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled - - sysctl_kernel_randomize_va_space status: automated - id: RHEL-10-701030 levels: - medium title: RHEL 10 must restrict access to the kernel message buffer. rules: - - dir_perms_world_writable_root_owned - - dir_perms_world_writable_sticky_bits - sysctl_kernel_dmesg_restrict - - sysctl_kernel_perf_event_paranoid status: automated - id: RHEL-10-701040 levels: - medium title: RHEL 10 must prevent kernel profiling by nonprivileged users. rules: - - dir_perms_world_writable_root_owned - - dir_perms_world_writable_sticky_bits - - sysctl_kernel_dmesg_restrict - sysctl_kernel_perf_event_paranoid status: automated - id: RHEL-10-701050 @@ -9110,12 +3023,6 @@ controls: - high title: RHEL 10 must prevent the loading of a new kernel for later execution. rules: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - - package_subscription-manager_installed - sysctl_kernel_kexec_load_disabled status: automated - id: RHEL-10-701060 @@ -9123,9 +3030,6 @@ controls: - medium title: RHEL 10 must restrict exposed kernel pointer address access. rules: - - bios_enable_execution_restrictions - - grub2_init_on_free - - sysctl_kernel_exec_shield - sysctl_kernel_kptr_restrict status: automated - id: RHEL-10-701070 @@ -9134,18 +3038,7 @@ controls: title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. rules: - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - sysctl_fs_protected_hardlinks - - sysctl_fs_protected_symlinks - - use_pam_wheel_for_su - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-701080 levels: @@ -9153,28 +3046,14 @@ controls: title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. rules: - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - package_sudo_installed - - service_debug-shell_disabled - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - sysctl_fs_protected_hardlinks - sysctl_fs_protected_symlinks - - use_pam_wheel_for_su - - var_sudo_timestamp_timeout=always_prompt status: automated - id: RHEL-10-701090 levels: - medium title: RHEL 10 must disable the "kernel.core_pattern". rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - sysctl_kernel_core_pattern status: automated - id: RHEL-10-701100 levels: @@ -9182,10 +3061,7 @@ controls: title: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module. rules: - - kernel_module_bluetooth_disabled - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled status: automated - id: RHEL-10-701110 levels: @@ -9193,10 +3069,7 @@ controls: title: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - kernel_module_sctp_disabled - - kernel_module_tipc_disabled status: automated - id: RHEL-10-701120 levels: @@ -9204,9 +3077,6 @@ controls: title: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - kernel_module_tipc_disabled status: automated - id: RHEL-10-701130 @@ -9215,114 +3085,78 @@ controls: title: RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. rules: - - grub2_pti_argument - sysctl_kernel_randomize_va_space status: automated - id: RHEL-10-701140 levels: - medium title: RHEL 10 must restrict usage of ptrace to descendant processes. - rules: [] - status: pending + rules: + - sysctl_kernel_yama_ptrace_scope + status: automated - id: RHEL-10-701150 levels: - medium title: RHEL 10 must disable core dump backtraces. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - coredump_disable_backtraces status: automated - id: RHEL-10-701160 levels: - medium title: RHEL 10 must disable storing core dumps. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - coredump_disable_storage status: automated - id: RHEL-10-701170 levels: - medium title: RHEL 10 must disable core dumps for all users. rules: - - kernel_module_bluetooth_disabled - - kernel_module_can_disabled - - kernel_module_sctp_disabled - - kernel_module_tipc_disabled + - disable_users_coredumps status: automated - id: RHEL-10-701180 levels: - medium title: RHEL 10 must disable acquiring, saving, and processing core dumps. - rules: [] - status: pending + rules: + - service_systemd-coredump_disabled + status: automated - id: RHEL-10-701190 levels: - medium title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. rules: - - bios_enable_execution_restrictions - - grub2_init_on_free - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict status: automated - id: RHEL-10-701200 levels: - medium title: RHEL 10 must disable the kdump service. rules: - - service_systemd-journald_enabled + - service_kdump_disabled status: automated - id: RHEL-10-701210 levels: - medium title: RHEL 10 must disable file system automount function unless required. rules: - - dconf_gnome_disable_automount_open - - dconf_gnome_disable_autorun - - kernel_module_usb-storage_disabled - - package_usbguard_installed - service_autofs_disabled - - service_usbguard_enabled - - usbguard_generate_policy status: automated - id: RHEL-10-701220 levels: - medium title: RHEL 10 must enable certificate-based smart card authentication. rules: - - configure_opensc_card_drivers - - install_smartcard_packages - - package_opensc_installed - - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - - service_pcscd_enabled - - sshd_disable_empty_passwords - - sshd_enable_pubkey_auth - - sssd_certificate_verification - sssd_enable_smartcards - - var_smartcard_drivers=cac - - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-701230 levels: - medium title: RHEL 10 must implement certificate status checking for multifactor authentication. rules: - - install_smartcard_packages - - package_opensc_installed - - package_pcsc-lite-ccid_installed - - package_pcsc-lite_installed - - package_sssd_installed - - service_pcscd_enabled - - service_sssd_enabled - sssd_certificate_verification - - sssd_enable_smartcards - var_sssd_certificate_verification_digest_function=sha512 status: automated - id: RHEL-10-701240 @@ -9338,25 +3172,13 @@ controls: - medium title: RHEL 10 must require authentication to access emergency mode. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - require_emergency_target_auth status: automated - id: RHEL-10-701260 levels: - medium title: RHEL 10 must require authentication to access single-user mode. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - require_singleuser_auth status: automated - id: RHEL-10-701270 @@ -9366,7 +3188,6 @@ controls: a certification path (which includes status information) to an accepted trust anchor. rules: - - encrypt_partitions - sssd_has_trust_anchor status: automated - id: RHEL-10-701280 @@ -9389,12 +3210,7 @@ controls: - medium title: RHEL 10 must control remote access methods. rules: - - chronyd_client_only - - chronyd_no_chronyc_network - configure_firewalld_ports - - firewalld_sshd_port_enabled - - package_firewalld_installed - - service_firewalld_enabled status: automated - id: RHEL-10-800010 levels: @@ -9403,30 +3219,23 @@ controls: ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. rules: - - chronyd_client_only - - chronyd_no_chronyc_network - - configure_firewalld_ports - firewalld_sshd_port_enabled - - package_firewalld_installed - - service_firewalld_enabled status: automated - id: RHEL-10-800020 levels: - medium title: RHEL 10 must enforce that network interfaces not be in promiscuous mode. rules: - - configure_bind_crypto_policy - - package_openssh-server_installed - - service_sshd_enabled - - sysctl_crypto_fips_enabled + - network_sniffer_disabled status: automated - id: RHEL-10-800030 levels: - medium title: RHEL 10 must disable access to the network bpf system call from nonprivileged processes. - rules: [] - status: pending + rules: + - sysctl_kernel_unprivileged_bpf_disabled + status: automated - id: RHEL-10-800040 levels: - medium @@ -9436,9 +3245,6 @@ controls: - chronyd_or_ntpd_set_maxpoll - chronyd_server_directive - chronyd_specify_remote_server - - package_audit_installed - - package_chrony_installed - - service_chronyd_enabled - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours status: automated @@ -9448,10 +3254,7 @@ controls: title: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler. rules: - - bios_enable_execution_restrictions - - grub2_init_on_free - - sysctl_kernel_exec_shield - - sysctl_kernel_kptr_restrict + - sysctl_net_core_bpf_jit_harden status: automated - id: RHEL-10-800060 levels: @@ -9459,32 +3262,20 @@ controls: title: RHEL 10 must have at least two name servers configured for systems using Domain Name Server (DNS) resolution. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - network_configure_name_resolution status: automated - id: RHEL-10-800070 levels: - medium title: RHEL 10 must not have unauthorized IP tunnels configured. rules: - - account_temp_expire_date - - file_groupownership_audit_configuration - - file_ownership_audit_configuration - - file_permissions_audit_configuration - - grub2_admin_username - - grub2_password - - require_singleuser_auth + - libreswan_approved_tunnels status: automated - id: RHEL-10-800080 levels: - medium title: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - sysctl_net_ipv4_tcp_syncookies status: automated - id: RHEL-10-800090 @@ -9493,10 +3284,7 @@ controls: title: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_accept_redirects status: automated - id: RHEL-10-800100 levels: @@ -9504,10 +3292,7 @@ controls: title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_accept_source_route status: automated - id: RHEL-10-800110 levels: @@ -9515,10 +3300,7 @@ controls: title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_log_martians status: automated - id: RHEL-10-800120 levels: @@ -9526,10 +3308,7 @@ controls: title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_default_log_martians status: automated - id: RHEL-10-800130 levels: @@ -9537,10 +3316,7 @@ controls: title: RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_rp_filter status: automated - id: RHEL-10-800140 levels: @@ -9548,10 +3324,7 @@ controls: title: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_default_accept_redirects status: automated - id: RHEL-10-800150 levels: @@ -9559,10 +3332,7 @@ controls: title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_default_accept_source_route status: automated - id: RHEL-10-800160 levels: @@ -9570,10 +3340,7 @@ controls: title: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_default_rp_filter status: automated - id: RHEL-10-800170 levels: @@ -9581,10 +3348,7 @@ controls: title: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts status: automated - id: RHEL-10-800180 levels: @@ -9592,20 +3356,14 @@ controls: title: RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses status: automated - id: RHEL-10-800190 levels: - medium title: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_send_redirects status: automated - id: RHEL-10-800200 levels: @@ -9613,10 +3371,7 @@ controls: title: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_default_send_redirects status: automated - id: RHEL-10-800210 levels: @@ -9624,10 +3379,7 @@ controls: title: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_forwarding status: automated - id: RHEL-10-800220 levels: @@ -9635,10 +3387,7 @@ controls: title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_all_accept_ra status: automated - id: RHEL-10-800230 levels: @@ -9646,10 +3395,7 @@ controls: title: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_all_accept_redirects status: automated - id: RHEL-10-800240 levels: @@ -9657,10 +3403,7 @@ controls: title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_all_accept_source_route status: automated - id: RHEL-10-800250 levels: @@ -9668,10 +3411,7 @@ controls: title: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_all_forwarding status: automated - id: RHEL-10-800260 levels: @@ -9679,10 +3419,7 @@ controls: title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_default_accept_ra status: automated - id: RHEL-10-800270 levels: @@ -9690,10 +3427,7 @@ controls: title: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_default_accept_redirects status: automated - id: RHEL-10-800280 levels: @@ -9701,10 +3435,7 @@ controls: title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_default_accept_source_route status: automated - id: RHEL-10-800290 levels: @@ -9714,9 +3445,11 @@ controls: are implemented. rules: - firewalld-backend + related_rules: - sysctl_net_ipv4_tcp_invalid_ratelimit - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + notes: > + TODO: resolve mismatch of title and description status: automated - id: RHEL-10-800300 levels: @@ -9725,10 +3458,8 @@ controls: conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks. rules: - - firewalld-backend - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - - sysctl_net_ipv4_tcp_syncookies + - networkmanager_dns_mode + - var_networkmanager_dns_mode=explicit_default status: automated - id: RHEL-10-800310 levels: @@ -9736,9 +3467,7 @@ controls: title: RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol (TFTP) server service is required. rules: - - package_telnet-server_removed - - package_tftp_removed - - package_vsftpd_removed + - tftp_uses_secure_mode_systemd status: automated - id: RHEL-10-900000 levels: @@ -9747,7 +3476,6 @@ controls: file to prevent unauthorized access. rules: - file_permissions_etc_audit_auditd - - file_permissions_etc_audit_rulesd status: automated - id: RHEL-10-900100 levels: @@ -9755,16 +3483,11 @@ controls: title: RHEL 10 must prevent unauthorized changes to the audit system. rules: - audit_rules_immutable - - directory_group_ownership_var_log_audit - - directory_ownership_var_log_audit - - directory_permissions_var_log_audit - - file_group_ownership_var_log_audit - - file_ownership_var_log_audit_stig - - file_permissions_var_log_audit status: automated - id: RHEL-10-001000 levels: - high title: RHEL 10 must be a vendor-supported release. - rules: [] - status: pending + rules: + - installed_OS_is_vendor_supported + status: automated From 8257c0d14c1f84a0c0706def4a5d5096e52069d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 25 Jun 2026 14:37:00 +0200 Subject: [PATCH 4/7] Update profile stability data --- .../profile_stability/rhel10/stig.profile | 53 +++++-------------- .../profile_stability/rhel10/stig_gui.profile | 52 +++++------------- 2 files changed, 24 insertions(+), 81 deletions(-) diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile index 852e32158a64..fa944e100fab 100644 --- a/tests/data/profile_stability/rhel10/stig.profile +++ b/tests/data/profile_stability/rhel10/stig.profile @@ -11,6 +11,7 @@ accounts_max_concurrent_login_sessions accounts_maximum_age_login_defs accounts_minimum_age_login_defs accounts_no_uid_except_zero +accounts_password_all_shadowed_sha512 accounts_password_pam_dcredit accounts_password_pam_dictcheck accounts_password_pam_difok @@ -25,6 +26,8 @@ accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_retry accounts_password_pam_pwquality_system_auth accounts_password_pam_ucredit +accounts_password_pam_unix_rounds_password_auth +accounts_password_pam_unix_rounds_system_auth accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_passwords_pam_faillock_audit @@ -88,22 +91,17 @@ audit_rules_kernel_module_loading_finit audit_rules_kernel_module_loading_init audit_rules_login_events_faillock audit_rules_login_events_lastlog -audit_rules_login_events_tallylog audit_rules_media_export audit_rules_privileged_commands_chage audit_rules_privileged_commands_chsh audit_rules_privileged_commands_crontab audit_rules_privileged_commands_gpasswd audit_rules_privileged_commands_kmod -audit_rules_privileged_commands_modprobe -audit_rules_privileged_commands_mount audit_rules_privileged_commands_newgrp audit_rules_privileged_commands_pam_timestamp_check audit_rules_privileged_commands_passwd -audit_rules_privileged_commands_pkexec audit_rules_privileged_commands_postdrop audit_rules_privileged_commands_postqueue -audit_rules_privileged_commands_rmmod audit_rules_privileged_commands_ssh_agent audit_rules_privileged_commands_ssh_keysign audit_rules_privileged_commands_su @@ -123,11 +121,7 @@ audit_rules_unsuccessful_file_modification_ftruncate audit_rules_unsuccessful_file_modification_open audit_rules_unsuccessful_file_modification_open_by_handle_at audit_rules_unsuccessful_file_modification_openat -audit_rules_unsuccessful_file_modification_rename -audit_rules_unsuccessful_file_modification_renameat audit_rules_unsuccessful_file_modification_truncate -audit_rules_unsuccessful_file_modification_unlink -audit_rules_unsuccessful_file_modification_unlinkat audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd @@ -156,7 +150,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend @@ -179,6 +172,8 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -195,13 +190,11 @@ disable_ctrlaltdel_reboot disable_host_auth disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts -dnf-automatic_apply_updates enable_fips_mode +enable_gpgcheck_for_all_repositories encrypt_partitions ensure_gpgcheck_globally_activated ensure_gpgcheck_local_packages -ensure_gpgcheck_never_disabled ensure_redhat_gpgkey_installed fapolicy_default_deny file_audit_tools_group_ownership @@ -212,7 +205,6 @@ file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow file_groupowner_backup_etc_passwd file_groupowner_backup_etc_shadow -file_groupowner_cron_allow file_groupowner_cron_d file_groupowner_cron_daily file_groupowner_cron_deny @@ -236,7 +228,6 @@ file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd file_owner_backup_etc_shadow -file_owner_cron_allow file_owner_cron_d file_owner_cron_daily file_owner_cron_deny @@ -258,14 +249,11 @@ file_ownership_binary_dirs file_ownership_library_dirs file_ownership_var_log_audit_stig file_permission_user_init_files -file_permission_user_init_files_root -file_permissions_audit_configuration file_permissions_backup_etc_group file_permissions_backup_etc_gshadow file_permissions_backup_etc_passwd file_permissions_backup_etc_shadow file_permissions_binary_dirs -file_permissions_cron_allow file_permissions_cron_d file_permissions_cron_daily file_permissions_cron_hourly @@ -289,7 +277,6 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages file_sshd_50_redhat_exists -fips_crypto_subpolicy firewalld-backend firewalld_sshd_port_enabled gid_passwd_group_same @@ -319,7 +306,7 @@ kernel_module_usb-storage_disabled libreswan_approved_tunnels login_banner_contents=dod_default login_banner_text=dod_banners -logind_session_timeout +mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_nosuid mount_option_dev_shm_nodev @@ -331,11 +318,8 @@ mount_option_home_nosuid mount_option_krb_sec_remote_filesystems mount_option_nodev_nonroot_local_partitions mount_option_nodev_remote_filesystems -mount_option_nodev_removable_partitions mount_option_noexec_remote_filesystems -mount_option_noexec_removable_partitions mount_option_nosuid_remote_filesystems -mount_option_nosuid_removable_partitions mount_option_tmp_nodev mount_option_tmp_noexec mount_option_tmp_nosuid @@ -384,7 +368,6 @@ package_rsyslog-gnutls_installed package_rsyslog_installed package_s-nail_installed package_sequoia-sq_installed -package_sssd_installed package_subscription-manager_installed package_sudo_installed package_telnet-server_removed @@ -403,6 +386,7 @@ partition_for_var_tmp postfix_client_configure_mail_alias postfix_client_configure_mail_alias_postmaster postfix_prevent_unrestricted_relay +require_emergency_target_auth require_singleuser_auth root_permissions_syslibrary_files rootfiles_configured @@ -427,21 +411,16 @@ service_kdump_disabled service_pcscd_enabled service_rsyslog_enabled service_sshd_enabled -service_sssd_enabled service_systemd-coredump_disabled service_systemd-journald_enabled service_usbguard_enabled -set_firewalld_default_zone set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth -set_password_hashing_min_rounds_logindefs -ssh_client_rekey_limit ssh_keys_passphrase_protected -sshd_approved_ciphers=stig_rhel9 -sshd_approved_macs=stig_rhel9 -sshd_disable_compression +sshd_approved_ciphers=stig_rhel10 +sshd_approved_macs=stig_rhel10 sshd_disable_empty_passwords sshd_disable_gssapi_auth sshd_disable_kerb_auth @@ -455,7 +434,6 @@ sshd_enable_pubkey_auth sshd_enable_strictmodes sshd_enable_warning_banner sshd_idle_timeout_value=10_minutes -sshd_include_crypto_policy sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout @@ -488,17 +466,16 @@ sysctl_net_core_bpf_jit_harden sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_forwarding +sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_rp_filter sysctl_net_ipv4_conf_all_send_redirects sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_source_route +sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_rp_filter sysctl_net_ipv4_conf_default_send_redirects sysctl_net_ipv4_icmp_echo_ignore_broadcasts sysctl_net_ipv4_icmp_ignore_bogus_error_responses -sysctl_net_ipv4_ip_forward -sysctl_net_ipv4_tcp_invalid_ratelimit -sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred sysctl_net_ipv4_tcp_syncookies sysctl_net_ipv6_conf_all_accept_ra sysctl_net_ipv6_conf_all_accept_redirects @@ -510,7 +487,6 @@ sysctl_net_ipv6_conf_default_accept_source_route system_booted_in_fips_mode tftp_uses_secure_mode_systemd usbguard_generate_policy -use_kerberos_security_all_exports use_pam_wheel_for_su var_account_disable_post_pw_expiration=35 var_accounts_authorized_local_users_regex=rhel9 @@ -532,13 +508,11 @@ var_auditd_freq=100 var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc -var_authselect_profile=sssd var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 var_password_hashing_algorithm_pam=sha512 var_password_pam_dcredit=1 -var_password_pam_dictcheck=1 var_password_pam_difok=8 var_password_pam_lcredit=1 var_password_pam_maxclassrepeat=4 @@ -546,8 +520,6 @@ var_password_pam_maxrepeat=3 var_password_pam_minclass=4 var_password_pam_minlen=15 var_password_pam_ocredit=1 -var_password_pam_remember=5 -var_password_pam_remember_control_flag=requisite_or_required var_password_pam_retry=3 var_password_pam_ucredit=1 var_password_pam_unix_rounds=100000 @@ -558,7 +530,6 @@ var_screensaver_lock_delay=5_seconds var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile index b66915644e0a..02096a5e3754 100644 --- a/tests/data/profile_stability/rhel10/stig_gui.profile +++ b/tests/data/profile_stability/rhel10/stig_gui.profile @@ -11,6 +11,7 @@ accounts_max_concurrent_login_sessions accounts_maximum_age_login_defs accounts_minimum_age_login_defs accounts_no_uid_except_zero +accounts_password_all_shadowed_sha512 accounts_password_pam_dcredit accounts_password_pam_dictcheck accounts_password_pam_difok @@ -25,6 +26,8 @@ accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_retry accounts_password_pam_pwquality_system_auth accounts_password_pam_ucredit +accounts_password_pam_unix_rounds_password_auth +accounts_password_pam_unix_rounds_system_auth accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_passwords_pam_faillock_audit @@ -88,22 +91,17 @@ audit_rules_kernel_module_loading_finit audit_rules_kernel_module_loading_init audit_rules_login_events_faillock audit_rules_login_events_lastlog -audit_rules_login_events_tallylog audit_rules_media_export audit_rules_privileged_commands_chage audit_rules_privileged_commands_chsh audit_rules_privileged_commands_crontab audit_rules_privileged_commands_gpasswd audit_rules_privileged_commands_kmod -audit_rules_privileged_commands_modprobe -audit_rules_privileged_commands_mount audit_rules_privileged_commands_newgrp audit_rules_privileged_commands_pam_timestamp_check audit_rules_privileged_commands_passwd -audit_rules_privileged_commands_pkexec audit_rules_privileged_commands_postdrop audit_rules_privileged_commands_postqueue -audit_rules_privileged_commands_rmmod audit_rules_privileged_commands_ssh_agent audit_rules_privileged_commands_ssh_keysign audit_rules_privileged_commands_su @@ -123,11 +121,7 @@ audit_rules_unsuccessful_file_modification_ftruncate audit_rules_unsuccessful_file_modification_open audit_rules_unsuccessful_file_modification_open_by_handle_at audit_rules_unsuccessful_file_modification_openat -audit_rules_unsuccessful_file_modification_rename -audit_rules_unsuccessful_file_modification_renameat audit_rules_unsuccessful_file_modification_truncate -audit_rules_unsuccessful_file_modification_unlink -audit_rules_unsuccessful_file_modification_unlinkat audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd @@ -156,7 +150,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend @@ -179,6 +172,8 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -195,13 +190,11 @@ disable_ctrlaltdel_reboot disable_host_auth disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts -dnf-automatic_apply_updates enable_fips_mode +enable_gpgcheck_for_all_repositories encrypt_partitions ensure_gpgcheck_globally_activated ensure_gpgcheck_local_packages -ensure_gpgcheck_never_disabled ensure_redhat_gpgkey_installed fapolicy_default_deny file_audit_tools_group_ownership @@ -212,7 +205,6 @@ file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow file_groupowner_backup_etc_passwd file_groupowner_backup_etc_shadow -file_groupowner_cron_allow file_groupowner_cron_d file_groupowner_cron_daily file_groupowner_cron_deny @@ -236,7 +228,6 @@ file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd file_owner_backup_etc_shadow -file_owner_cron_allow file_owner_cron_d file_owner_cron_daily file_owner_cron_deny @@ -258,14 +249,11 @@ file_ownership_binary_dirs file_ownership_library_dirs file_ownership_var_log_audit_stig file_permission_user_init_files -file_permission_user_init_files_root -file_permissions_audit_configuration file_permissions_backup_etc_group file_permissions_backup_etc_gshadow file_permissions_backup_etc_passwd file_permissions_backup_etc_shadow file_permissions_binary_dirs -file_permissions_cron_allow file_permissions_cron_d file_permissions_cron_daily file_permissions_cron_hourly @@ -289,7 +277,6 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages file_sshd_50_redhat_exists -fips_crypto_subpolicy firewalld-backend firewalld_sshd_port_enabled gid_passwd_group_same @@ -319,6 +306,7 @@ kernel_module_usb-storage_disabled libreswan_approved_tunnels login_banner_contents=dod_default login_banner_text=dod_banners +mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_nosuid mount_option_dev_shm_nodev @@ -330,11 +318,8 @@ mount_option_home_nosuid mount_option_krb_sec_remote_filesystems mount_option_nodev_nonroot_local_partitions mount_option_nodev_remote_filesystems -mount_option_nodev_removable_partitions mount_option_noexec_remote_filesystems -mount_option_noexec_removable_partitions mount_option_nosuid_remote_filesystems -mount_option_nosuid_removable_partitions mount_option_tmp_nodev mount_option_tmp_noexec mount_option_tmp_nosuid @@ -381,7 +366,6 @@ package_rsyslog-gnutls_installed package_rsyslog_installed package_s-nail_installed package_sequoia-sq_installed -package_sssd_installed package_subscription-manager_installed package_sudo_installed package_telnet-server_removed @@ -400,6 +384,7 @@ partition_for_var_tmp postfix_client_configure_mail_alias postfix_client_configure_mail_alias_postmaster postfix_prevent_unrestricted_relay +require_emergency_target_auth require_singleuser_auth root_permissions_syslibrary_files rootfiles_configured @@ -424,21 +409,16 @@ service_kdump_disabled service_pcscd_enabled service_rsyslog_enabled service_sshd_enabled -service_sssd_enabled service_systemd-coredump_disabled service_systemd-journald_enabled service_usbguard_enabled -set_firewalld_default_zone set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth -set_password_hashing_min_rounds_logindefs -ssh_client_rekey_limit ssh_keys_passphrase_protected -sshd_approved_ciphers=stig_rhel9 -sshd_approved_macs=stig_rhel9 -sshd_disable_compression +sshd_approved_ciphers=stig_rhel10 +sshd_approved_macs=stig_rhel10 sshd_disable_empty_passwords sshd_disable_gssapi_auth sshd_disable_kerb_auth @@ -452,7 +432,6 @@ sshd_enable_pubkey_auth sshd_enable_strictmodes sshd_enable_warning_banner sshd_idle_timeout_value=10_minutes -sshd_include_crypto_policy sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout @@ -485,17 +464,16 @@ sysctl_net_core_bpf_jit_harden sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_forwarding +sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_rp_filter sysctl_net_ipv4_conf_all_send_redirects sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_source_route +sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_rp_filter sysctl_net_ipv4_conf_default_send_redirects sysctl_net_ipv4_icmp_echo_ignore_broadcasts sysctl_net_ipv4_icmp_ignore_bogus_error_responses -sysctl_net_ipv4_ip_forward -sysctl_net_ipv4_tcp_invalid_ratelimit -sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred sysctl_net_ipv4_tcp_syncookies sysctl_net_ipv6_conf_all_accept_ra sysctl_net_ipv6_conf_all_accept_redirects @@ -507,7 +485,6 @@ sysctl_net_ipv6_conf_default_accept_source_route system_booted_in_fips_mode tftp_uses_secure_mode_systemd usbguard_generate_policy -use_kerberos_security_all_exports use_pam_wheel_for_su var_account_disable_post_pw_expiration=35 var_accounts_authorized_local_users_regex=rhel9 @@ -529,13 +506,11 @@ var_auditd_freq=100 var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc -var_authselect_profile=sssd var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 var_password_hashing_algorithm_pam=sha512 var_password_pam_dcredit=1 -var_password_pam_dictcheck=1 var_password_pam_difok=8 var_password_pam_lcredit=1 var_password_pam_maxclassrepeat=4 @@ -543,8 +518,6 @@ var_password_pam_maxrepeat=3 var_password_pam_minclass=4 var_password_pam_minlen=15 var_password_pam_ocredit=1 -var_password_pam_remember=5 -var_password_pam_remember_control_flag=requisite_or_required var_password_pam_retry=3 var_password_pam_ucredit=1 var_password_pam_unix_rounds=100000 @@ -555,7 +528,6 @@ var_screensaver_lock_delay=5_seconds var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt From 8b290ebdb0e5915fd06f51f8e89f4bb274ccc6fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 25 Jun 2026 14:47:09 +0200 Subject: [PATCH 5/7] Add missing CCEs --- .../partitions/mount_option_boot_efi_nosuid/rule.yml | 1 + .../updating/enable_gpgcheck_for_all_repositories/rule.yml | 1 + shared/references/cce-redhat-avail.txt | 2 -- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml index cdece146f9a3..db44abd7ffe0 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel8: CCE-86038-7 cce@rhel9: CCE-86040-3 + cce@rhel10: CCE-86492-6 references: nist: CM-6(b),CM-6.1(iv) diff --git a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml index 5ac5994ae367..f6829b70b6a0 100644 --- a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml +++ b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml @@ -20,6 +20,7 @@ severity: high identifiers: cce@rhel8: CCE-86187-2 + cce@rhel10: CCE-86484-3 references: srg: SRG-OS-000366-GPOS-00153 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 91b104d88076..b511d7ad89e7 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,5 +1,3 @@ -CCE-86484-3 -CCE-86492-6 CCE-86494-2 CCE-86497-5 CCE-86498-3 From 4981746901c7aec5a0dab3d9ecffc0b44d3eb256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 25 Jun 2026 16:10:52 +0200 Subject: [PATCH 6/7] Prevent rule removal from RHEL 10 --- products/rhel10/profiles/default.profile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index 0c4878a9e7d0..80daad7df772 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -47,3 +47,13 @@ selections: - configure_ssh_crypto_policy - package_dnsmasq_removed - chrony_set_nts + - audit_rules_privileged_commands_pkexec + - sshd_include_crypto_policy + - file_permission_user_init_files_root + - mount_option_nodev_removable_partitions + - mount_option_noexec_removable_partitions + - audit_rules_privileged_commands_mount + - fips_crypto_subpolicy + - mount_option_nosuid_removable_partitions + - sysctl_net_ipv4_tcp_invalid_ratelimit + - set_password_hashing_min_rounds_logindefs From 468a7c0145458f21a0beb0213de07f12beeab380 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 25 Jun 2026 16:17:34 +0200 Subject: [PATCH 7/7] Change YAML formatting using yamlfix --- products/rhel10/controls/stig_rhel10.yml | 6875 +++++++++++----------- 1 file changed, 3391 insertions(+), 3484 deletions(-) diff --git a/products/rhel10/controls/stig_rhel10.yml b/products/rhel10/controls/stig_rhel10.yml index 411742bec6dd..94647d455223 100644 --- a/products/rhel10/controls/stig_rhel10.yml +++ b/products/rhel10/controls/stig_rhel10.yml @@ -1,3 +1,4 @@ +--- policy: Red Hat Enterprise Linux 10 Security Technical Implementation Guide title: Red Hat Enterprise Linux 10 Security Technical Implementation Guide id: stig_rhel10 @@ -5,3489 +6,3395 @@ version: V1R1 source: https://www.cyber.mil/stigs/downloads/ reference_type: stigid product: rhel10 + levels: -- id: high -- id: medium -- id: low + - id: high + - id: medium + - id: low + controls: -- id: RHEL-10-700970 - levels: - - medium - title: RHEL 10 must disable the debug-shell systemd service. - rules: - - service_debug-shell_disabled - status: automated -- id: RHEL-10-001020 - levels: - - medium - title: RHEL 10 must ensure cryptographic verification of vendor software packages. - rules: - - ensure_redhat_gpgkey_installed - - package_sequoia-sq_installed - status: automated -- id: RHEL-10-001030 - levels: - - high - title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages - originating from external software repositories before installation. - rules: - - ensure_gpgcheck_globally_activated - status: automated -- id: RHEL-10-001040 - levels: - - high - title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed - software packages before installation. - rules: - - ensure_gpgcheck_local_packages - status: automated -- id: RHEL-10-001050 - levels: - - high - title: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled - for all software repositories. - rules: - - enable_gpgcheck_for_all_repositories - status: automated -- id: RHEL-10-000510 - levels: - - high - title: RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure - or modification of all information on local disk partitions that requires at-rest - protection. - rules: - - encrypt_partitions - status: automated -- id: RHEL-10-000520 - levels: - - low - title: RHEL 10 must use a separate file system for the system audit data path. - rules: - - partition_for_var_log_audit - status: automated -- id: RHEL-10-000530 - levels: - - medium - title: RHEL 10 must use a separate file system for user home directories (such as - "/home" or an equivalent). - rules: - - partition_for_home - status: automated -- id: RHEL-10-000540 - levels: - - medium - title: RHEL 10 must use a separate file system for "/tmp". - rules: - - partition_for_tmp - status: automated -- id: RHEL-10-000550 - levels: - - medium - title: RHEL 10 must use a separate file system for "/var". - rules: - - partition_for_var - status: automated -- id: RHEL-10-000560 - levels: - - medium - title: RHEL 10 must use a separate file system for "/var/log". - rules: - - partition_for_var_log - status: automated -- id: RHEL-10-000570 - levels: - - medium - title: RHEL 10 must use a separate file system for "/var/tmp". - rules: - - partition_for_var_tmp - status: automated -- id: RHEL-10-200000 - levels: - - medium - title: RHEL 10 must remove all software components after updated versions have been - installed. - rules: - - clean_components_post_updating - status: automated -- id: RHEL-10-200010 - levels: - - medium - title: RHEL 10 must not have the "nfs-utils" package installed. - rules: - - package_nfs-utils_removed - status: automated -- id: RHEL-10-200020 - levels: - - high - title: RHEL 10 must not have the "telnet-server" package installed. - rules: - - package_telnet-server_removed - status: automated -- id: RHEL-10-200030 - levels: - - medium - title: RHEL 10 must not have the "gssproxy" package installed. - rules: - - package_gssproxy_removed - status: automated -- id: RHEL-10-200040 - levels: - - medium - title: RHEL 10 must not have the tuned package installed. - rules: - - package_tuned_removed - status: automated -- id: RHEL-10-200050 - levels: - - medium - title: RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package - installed unless it is required by the mission, and if required, the TFTP daemon - must be configured to operate in secure mode. - rules: - - package_tftp-server_removed - status: automated -- id: RHEL-10-200060 - levels: - - medium - title: RHEL 10 must not have the unbound package installed. - rules: - - package_unbound_removed - status: automated -- id: RHEL-10-200070 - levels: - - high - title: RHEL 10 must not have the "tftp" package installed. - rules: - - package_tftp_removed - status: automated -- id: RHEL-10-200080 - levels: - - medium - title: RHEL 10 must not have the "gdm" package installed. - rules: - - package_gdm_removed - status: automated -- id: RHEL-10-200090 - levels: - - high - title: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. - rules: - - package_vsftpd_removed - status: automated -- id: RHEL-10-200500 - levels: - - medium - title: RHEL 10 must have the "subscription-manager" package installed. - rules: - - package_subscription-manager_installed - status: automated -- id: RHEL-10-200510 - levels: - - medium - title: RHEL 10 must have the "nss-tools" package installed. - rules: - - package_nss-tools_installed - status: automated -- id: RHEL-10-200520 - levels: - - medium - title: RHEL 10 must have the "s-nail" package installed. - rules: - - package_s-nail_installed - status: automated -- id: RHEL-10-200530 - levels: - - medium - title: RHEL 10 must have the "firewalld" package installed. - rules: - - package_firewalld_installed - status: automated -- id: RHEL-10-200531 - levels: - - medium - title: RHEL 10 must have the "firewalld" service set to active. - rules: - - service_firewalld_enabled - status: automated -- id: RHEL-10-200532 - levels: - - medium - title: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections - to other systems. - rules: - - configured_firewalld_default_deny - related_rules: - - set_firewalld_default_zone - status: automated -- id: RHEL-10-200540 - levels: - - medium - title: RHEL 10 must have the "chrony" package installed. - rules: - - package_chrony_installed - status: automated -- id: RHEL-10-200541 - levels: - - medium - title: RHEL 10 must enable the chronyd service. - rules: - - service_chronyd_enabled - status: automated -- id: RHEL-10-200542 - levels: - - medium - title: RHEL 10 must disable the chrony daemon from acting as a server. - rules: - - chronyd_client_only - status: automated -- id: RHEL-10-200543 - levels: - - medium - title: RHEL 10 must disable network management of the chrony daemon. - rules: - - chronyd_no_chronyc_network - status: automated -- id: RHEL-10-200560 - levels: - - medium - title: RHEL 10 must have the USBGuard package installed. - rules: - - package_usbguard_installed - status: automated -- id: RHEL-10-200561 - levels: - - medium - title: RHEL 10 must have the USBGuard package enabled. - rules: - - service_usbguard_enabled - status: automated -- id: RHEL-10-200562 - levels: - - medium - title: RHEL 10 must block unauthorized peripherals before establishing a connection. - rules: - - usbguard_generate_policy - status: automated -- id: RHEL-10-200563 - levels: - - medium - title: RHEL 10 must enable audit logging for the USBGuard daemon. - rules: - - configure_usbguard_auditbackend - status: automated -- id: RHEL-10-200570 - levels: - - medium - title: RHEL 10 must have the "policycoreutils" package installed. - rules: - - package_policycoreutils_installed - status: automated -- id: RHEL-10-200580 - levels: - - medium - title: RHEL 10 must have the "policycoreutils-python-utils" package installed. - rules: - - package_policycoreutils-python-utils_installed - status: automated -- id: RHEL-10-200590 - levels: - - medium - title: RHEL 10 must have the "sudo" package installed. - rules: - - package_sudo_installed - status: automated -- id: RHEL-10-200600 - levels: - - medium - title: RHEL 10 must have the "fapolicy" module installed. - rules: - - package_fapolicyd_installed - status: automated -- id: RHEL-10-200601 - levels: - - medium - title: RHEL 10 must enable the "fapolicy" module. - rules: - - service_fapolicyd_enabled - status: automated -- id: RHEL-10-200602 - levels: - - medium - title: RHEL 10 must be configured to employ a deny-all, permit-by-exception policy - to allow the execution of authorized software programs. - rules: - - fapolicy_default_deny - status: automated -- id: RHEL-10-200610 - levels: - - medium - title: RHEL 10 must have the "pcsc-lite" package installed. - rules: - - package_pcsc-lite_installed - status: automated -- id: RHEL-10-200611 - levels: - - medium - title: RHEL 10 must have the "pcscd" service set to active. - rules: - - service_pcscd_enabled - status: automated -- id: RHEL-10-200612 - levels: - - medium - title: RHEL 10 must have the "pcsc-lite-ccid" package installed. - rules: - - package_pcsc-lite-ccid_installed - status: automated -- id: RHEL-10-200620 - levels: - - medium - title: RHEL 10 must have the "opensc" package installed. - rules: - - package_opensc_installed - status: automated -- id: RHEL-10-200621 - levels: - - medium - title: RHEL 10 must use the common access card (CAC) smart card driver. - rules: - - configure_opensc_card_drivers - - var_smartcard_drivers=cac - status: automated -- id: RHEL-10-200630 - levels: - - medium - title: RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package - installed. - rules: - - package_aide_installed - status: automated -- id: RHEL-10-200631 - levels: - - high - title: RHEL 10 must use cryptographic mechanisms to protect the integrity of audit - tools. - rules: - - aide_check_audit_tools - status: automated -- id: RHEL-10-200632 - levels: - - medium - title: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved - cryptographic hashes for validating file contents and directories. - rules: - - aide_use_fips_hashes - status: automated -- id: RHEL-10-200633 - levels: - - medium - title: RHEL 10 must routinely check the baseline configuration for unauthorized - changes and notify the system administrator when anomalies in the operation of - any security functions are discovered. - rules: - - aide_build_database - - aide_periodic_cron_checking - - aide_scan_notification - - aide_use_fips_hashes - - package_aide_installed - status: automated -- id: RHEL-10-200634 - levels: - - medium - title: RHEL 10 must be configured so that the file integrity tool verifies Access - Control Lists (ACLs). - rules: - - aide_verify_acls - status: automated -- id: RHEL-10-200635 - levels: - - medium - title: RHEL 10 must be configured so that the file integrity tool verifies extended - attributes. - rules: - - aide_verify_ext_attributes - status: automated -- id: RHEL-10-200640 - levels: - - medium - title: RHEL 10 must have the "rsyslog" package installed. - rules: - - package_rsyslog_installed - status: automated -- id: RHEL-10-200641 - levels: - - medium - title: RHEL 10 must have the rsyslog service set to active. - rules: - - service_rsyslog_enabled - status: automated -- id: RHEL-10-200642 - levels: - - medium - title: RHEL 10 must be configured to forward audit records via Transmission Control - Protocol (TCP) to a different system or media from the system being audited via - rsyslog. - rules: - - rsyslog_remote_loghost - status: automated -- id: RHEL-10-200643 - levels: - - medium - title: RHEL 10 must be configured so that the rsyslog daemon does not accept log - messages from other servers unless the server is being used for log aggregation. - rules: - - rsyslog_nolisten - status: automated -- id: RHEL-10-200644 - levels: - - medium - title: RHEL 10 must authenticate the remote logging server for off-loading audit - logs via "rsyslog". - rules: - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - status: automated -- id: RHEL-10-200645 - levels: - - medium - title: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different - system or media from the system being audited via rsyslog. - rules: - - rsyslog_encrypt_offload_actionsendstreamdrivermode - status: automated -- id: RHEL-10-200646 - levels: - - medium - title: RHEL 10 must encrypt, via the gtls driver, the transfer of audit records - off-loaded onto a different system or media from the system being audited via - rsyslog. - rules: - - rsyslog_encrypt_offload_defaultnetstreamdriver - status: automated -- id: RHEL-10-200647 - levels: - - medium - title: RHEL 10 must monitor all remote access methods. - rules: - - rsyslog_remote_access_monitoring - status: automated -- id: RHEL-10-200648 - levels: - - medium - title: RHEL 10 must use cron logging. - rules: - - rsyslog_cron_logging - status: automated -- id: RHEL-10-200650 - levels: - - medium - title: RHEL 10 must have the packages required for encrypting off-loaded audit logs - installed. - rules: - - package_rsyslog-gnutls_installed - status: automated -- id: RHEL-10-200660 - levels: - - medium - title: RHEL 10 must have the "audit" package installed. - rules: - - package_audit_installed - status: automated -- id: RHEL-10-200661 - levels: - - medium - title: RHEL 10 must enable the audit service. - rules: - - service_auditd_enabled - status: automated -- id: RHEL-10-200662 - levels: - - low - title: RHEL 10 must have the "audispd-plugins" package installed. - rules: - - package_audispd-plugins_installed - status: automated -- id: RHEL-10-200680 - levels: - - medium - title: RHEL 10 must have the "libreswan" package installed. - rules: - - package_libreswan_installed - status: automated -- id: RHEL-10-200690 - levels: - - medium - title: RHEL 10 must notify designated personnel if baseline configurations are changed - in an unauthorized manner. - rules: - - package_postfix_installed - status: automated -- id: RHEL-10-200691 - levels: - - medium - title: RHEL 10 must have mail aliases to notify the information system security - officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing - failure. - rules: - - postfix_client_configure_mail_alias - - postfix_client_configure_mail_alias_postmaster - - var_postfix_root_mail_alias=mil_sysadmin - status: automated -- id: RHEL-10-200692 - levels: - - medium - title: RHEL 10 must be configured to prevent unrestricted mail relaying. - rules: - - postfix_prevent_unrestricted_relay - status: automated -- id: RHEL-10-200700 - levels: - - medium - title: RHEL 10 must have the "cronie" package installed. - rules: - - package_cron_installed - status: automated -- id: RHEL-10-200720 - levels: - - medium - title: RHEL 10 must have a Secure Shell (SSH) server installed for all networked - systems. - rules: - - package_openssh-server_installed - status: automated -- id: RHEL-10-200721 - levels: - - medium - title: RHEL 10 must, for all networked systems, have and implement Secure Shell - (SSH) to protect the confidentiality and integrity of transmitted and received - information. - rules: - - service_sshd_enabled - status: automated -- id: RHEL-10-200722 - levels: - - medium - title: RHEL 10 must have the "openssh-clients" package installed. - rules: - - package_openssh-clients_installed - status: automated -- id: RHEL-10-200730 - levels: - - medium - title: RHEL 10 must have the "pkcs11-provider" package installed. - rules: - - install_smartcard_packages - status: automated -- id: RHEL-10-200740 - levels: - - medium - title: RHEL 10 must have the "gnutls-utils" package installed. - rules: - - package_gnutls-utils_installed - status: automated -- id: RHEL-10-300000 - levels: - - high - title: RHEL 10 must have the "crypto-policies" package installed. - rules: - - package_crypto-policies_installed - status: automated -- id: RHEL-10-300010 - levels: - - high - title: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. - rules: - - configure_crypto_policy - - var_system_crypto_policy=fips - status: automated -- id: RHEL-10-000500 - levels: - - high - title: RHEL 10 must enable FIPS mode. - rules: - - enable_fips_mode - - sysctl_crypto_fips_enabled - - system_booted_in_fips_mode - status: automated -- id: RHEL-10-300030 - levels: - - high - title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved - encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms - to protect the confidentiality of SSH client connections. - rules: - - harden_sshd_ciphers_openssh_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel10 - status: automated -- id: RHEL-10-300040 - levels: - - high - title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved - encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms - to protect the confidentiality of SSH server connections. - rules: - - harden_sshd_ciphers_opensshserver_conf_crypto_policy - - sshd_approved_ciphers=stig_rhel10 - status: automated -- id: RHEL-10-300050 - levels: - - high - title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved - Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic - hash algorithms to protect the confidentiality of SSH client connections. - rules: - - harden_sshd_macs_openssh_conf_crypto_policy - - sshd_approved_macs=stig_rhel10 - status: automated -- id: RHEL-10-300060 - levels: - - high - title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved - Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic - hash algorithms to protect the confidentiality of SSH server connections. - rules: - - harden_sshd_macs_opensshserver_conf_crypto_policy - - sshd_approved_macs=stig_rhel10 - status: automated -- id: RHEL-10-300070 - levels: - - high - title: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. - rules: - - configure_libreswan_crypto_policy - status: automated -- id: RHEL-10-300080 - levels: - - high - title: RHEL 10 must implement DOD-approved encryption in the bind package. - rules: - - configure_bind_crypto_policy - status: automated -- id: RHEL-10-300090 - levels: - - high - title: RHEL 10 cryptographic policy must not be overridden. - rules: - - configure_crypto_policy - - var_system_crypto_policy=fips - status: automated -- id: RHEL-10-400000 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/group" file is owned by root. - rules: - - file_owner_etc_group - status: automated -- id: RHEL-10-400005 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/group" file is group-owned by - "root". - rules: - - file_groupowner_etc_group - status: automated -- id: RHEL-10-400010 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". - rules: - - file_owner_backup_etc_group - status: automated -- id: RHEL-10-400015 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/group-" file is group-owned - by "root". - rules: - - file_groupowner_backup_etc_group - status: automated -- id: RHEL-10-400020 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". - rules: - - file_owner_etc_gshadow - status: automated -- id: RHEL-10-400025 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned - by "root". - rules: - - file_groupowner_etc_gshadow - status: automated -- id: RHEL-10-400030 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". - rules: - - file_owner_backup_etc_gshadow - status: automated -- id: RHEL-10-400035 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned - by "root". - rules: - - file_groupowner_backup_etc_gshadow - status: automated -- id: RHEL-10-400040 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". - rules: - - file_owner_etc_passwd - status: automated -- id: RHEL-10-400045 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned - by "root". - rules: - - file_groupowner_etc_passwd - status: automated -- id: RHEL-10-400050 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". - rules: - - file_owner_backup_etc_passwd - status: automated -- id: RHEL-10-400055 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned - by "root". - rules: - - file_groupowner_backup_etc_passwd - status: automated -- id: RHEL-10-400060 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". - rules: - - file_owner_etc_shadow - status: automated -- id: RHEL-10-400065 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned - by "root". - rules: - - file_groupowner_etc_shadow - status: automated -- id: RHEL-10-400070 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". - rules: - - file_owner_backup_etc_shadow - status: automated -- id: RHEL-10-400075 - levels: - - medium - title: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned - by "root". - rules: - - file_groupowner_backup_etc_shadow - status: automated -- id: RHEL-10-400080 - levels: - - medium - title: RHEL 10 must be configured so that the "/var/log" directory is owned by "root". - rules: - - file_owner_var_log - status: automated -- id: RHEL-10-400085 - levels: - - medium - title: RHEL 10 must be configured so that the "/var/log" directory is group-owned - by "root". - rules: - - file_groupowner_var_log - status: automated -- id: RHEL-10-400090 - levels: - - medium - title: RHEL 10 must be configured so that the "/var/log/"messages file is owned - by root. - rules: - - file_owner_var_log_messages - status: automated -- id: RHEL-10-400095 - levels: - - medium - title: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned - by "root". - rules: - - file_groupowner_var_log_messages - status: automated -- id: RHEL-10-400100 - levels: - - medium - title: RHEL 10 must be configured so that system commands are owned by "root". - rules: - - file_ownership_binary_dirs - status: automated -- id: RHEL-10-400105 - levels: - - medium - title: RHEL 10 must be configured so that system commands are group-owned by root - or a system account. - rules: - - file_groupownership_system_commands_dirs - status: automated -- id: RHEL-10-400110 - levels: - - medium - title: RHEL 10 must be configured so that library files are owned by "root". - rules: - - file_ownership_library_dirs - status: automated -- id: RHEL-10-400115 - levels: - - medium - title: RHEL 10 must be configured so that library files are group-owned by "root" - or a system account. - rules: - - root_permissions_syslibrary_files - status: automated -- id: RHEL-10-400120 - levels: - - medium - title: RHEL 10 must be configured so that library directories are owned by "root". - rules: - - dir_ownership_library_dirs - status: automated -- id: RHEL-10-400125 - levels: - - medium - title: RHEL 10 must be configured so that library directories are group-owned by - "root" or a system account. - rules: - - dir_group_ownership_library_dirs - status: automated -- id: RHEL-10-400130 - levels: - - medium - title: RHEL 10 must be configured so that cron configuration file directories are - owned by root. - rules: - - file_owner_cron_d - - file_owner_cron_daily - - file_owner_cron_hourly - - file_owner_cron_monthly - - file_owner_cron_weekly - - file_owner_crontab - - file_owner_cron_deny - status: automated -- id: RHEL-10-400135 - levels: - - medium - title: RHEL 10 must be configured so that cron configuration files directories are - group-owned by root. - rules: - - file_groupowner_cron_d - - file_groupowner_cron_daily - - file_groupowner_cron_hourly - - file_groupowner_cron_monthly - - file_groupowner_cron_weekly - - file_groupowner_crontab - - file_groupowner_cron_deny - status: automated -- id: RHEL-10-400140 - levels: - - medium - title: RHEL 10 must be configured so that world-writable directories are owned by - root, sys, bin, or an application user. - rules: - - dir_perms_world_writable_root_owned - status: automated -- id: RHEL-10-400145 - levels: - - medium - title: RHEL 10 must be configured so that all system device files are correctly - labeled to prevent unauthorized modification. - rules: - - selinux_all_devicefiles_labeled - status: automated -- id: RHEL-10-400150 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration - file is group-owned by "root". - rules: - - file_groupowner_sshd_config - - directory_groupowner_sshd_config_d - - file_groupowner_sshd_drop_in_config - status: automated -- id: RHEL-10-400155 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration - file is owned by "root". - rules: - - file_sshd_50_redhat_exists - - file_owner_sshd_config - - directory_owner_sshd_config_d - - file_owner_sshd_drop_in_config - notes: > - TODO: investigate if file_sshd_50_redhat_exists is a convenience rule or a prerequisite - or if it's superfluous and should be removed. - status: automated -- id: RHEL-10-400160 - levels: - - medium - title: RHEL 10 must ensure that all local interactive user home directories are - group-owned by the home directory owner's primary group. - rules: - - file_groupownership_home_directories - status: automated -- id: RHEL-10-400165 - levels: - - medium - title: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted - logging group to prevent unauthorized read access. - rules: - - file_group_ownership_var_log_audit - status: automated -- id: RHEL-10-400170 - levels: - - medium - title: RHEL 10 must enforce "root" ownership of the audit log directory to prevent - unauthorized read access. - rules: - - directory_ownership_var_log_audit - status: automated -- id: RHEL-10-400175 - levels: - - medium - title: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized - access. - rules: - - file_ownership_var_log_audit_stig - status: automated -- id: RHEL-10-400180 - levels: - - medium - title: RHEL 10 must enforce group ownership by "root" or a restricted logging group - for audit log files to prevent unauthorized access. - rules: - - directory_group_ownership_var_log_audit - status: automated -- id: RHEL-10-400185 - levels: - - medium - title: RHEL 10 must set mode "0600" or less permissive for the audit logs file to - prevent unauthorized access to the audit log. - rules: - - file_permissions_var_log_audit - status: automated -- id: RHEL-10-400190 - levels: - - medium - title: RHEL 10 must enforce the audit log directory to have a mode of "0750" or - less permissive to prevent unauthorized read access. - rules: - - directory_permissions_var_log_audit - status: automated -- id: RHEL-10-400195 - levels: - - medium - title: RHEL 10 must enforce root ownership of the "/etc/audit/" directory. - rules: - - file_ownership_audit_configuration - status: automated -- id: RHEL-10-400200 - levels: - - medium - title: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. - rules: - - file_groupownership_audit_configuration - status: automated -- id: RHEL-10-400205 - levels: - - medium - title: RHEL 10 must enforce mode "755" or less permissive for system commands. - rules: - - file_permissions_binary_dirs - status: automated -- id: RHEL-10-400210 - levels: - - medium - title: RHEL 10 must enforce mode "755" or less permissive on library directories. - rules: - - dir_permissions_library_dirs - status: automated -- id: RHEL-10-400215 - levels: - - medium - title: RHEL 10 must enforce mode "755" or less permissive for library files. - rules: - - file_permissions_library_dirs - status: automated -- id: RHEL-10-400220 - levels: - - medium - title: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. - rules: - - file_permissions_var_log - status: automated -- id: RHEL-10-400225 - levels: - - medium - title: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" - file. - rules: - - file_permissions_var_log_messages - status: automated -- id: RHEL-10-400230 - levels: - - medium - title: RHEL 10 must be configured to prohibit modification of permissions for cron - configuration files and directories from the operating system defaults. - rules: - - file_permissions_cron_d - - file_permissions_cron_daily - - file_permissions_cron_hourly - - file_permissions_cron_monthly - - file_permissions_cron_weekly - - file_permissions_crontab - status: automated - notes: > - TODO: STIG recommends to use rpm to verify that permissions match the operating system defaults. -- id: RHEL-10-400235 - levels: - - medium - title: RHEL 10 must enforce mode "0740" or less permissive for local initialization - files. - rules: - - file_permission_user_init_files - - var_user_initialization_files_regex=all_dotfiles - status: automated -- id: RHEL-10-400240 - levels: - - medium - title: RHEL 10 must enforce mode "0750" or less permissive for local interactive - user home directories. - rules: - - file_permissions_home_directories - status: automated -- id: RHEL-10-400245 - levels: - - medium - title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" - file to prevent unauthorized access. - rules: - - file_permissions_etc_group - status: automated -- id: RHEL-10-400250 - levels: - - medium - title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" - file to prevent unauthorized access. - rules: - - file_permissions_backup_etc_group - status: automated -- id: RHEL-10-400255 - levels: - - medium - title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" - file to prevent unauthorized access. - rules: - - file_permissions_etc_gshadow - status: automated -- id: RHEL-10-400260 - levels: - - medium - title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" - file to prevent unauthorized access. - rules: - - file_permissions_backup_etc_gshadow - status: automated -- id: RHEL-10-400265 - levels: - - medium - title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" - file to prevent unauthorized access. - rules: - - file_permissions_etc_passwd - status: automated -- id: RHEL-10-400270 - levels: - - medium - title: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file - to prevent unauthorized access. - rules: - - file_permissions_backup_etc_passwd - status: automated -- id: RHEL-10-400275 - levels: - - medium - title: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file - to prevent unauthorized access. - rules: - - file_permissions_backup_etc_shadow - status: automated -- id: RHEL-10-400280 - levels: - - medium - title: RHEL 10 must be configured so that a sticky bit is set on all public directories. - rules: - - dir_perms_world_writable_sticky_bits - status: automated -- id: RHEL-10-400285 - levels: - - medium - title: RHEL 10 must be configured so that all local files and directories have a - valid group owner. - rules: - - file_permissions_ungroupowned - status: automated -- id: RHEL-10-400290 - levels: - - medium - title: RHEL 10 must be configured so that all local files and directories must have - a valid owner. - rules: - - no_files_unowned_by_user - status: automated -- id: RHEL-10-400295 - levels: - - medium - title: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized - access. - rules: - - file_permissions_etc_shadow - status: automated -- id: RHEL-10-400300 - levels: - - medium - title: RHEL 10 must be configured so that audit tools are owned by "root". - rules: - - file_audit_tools_ownership - status: automated -- id: RHEL-10-400305 - levels: - - medium - title: RHEL 10 must be configured so that audit tools are group-owned by "root". - rules: - - file_audit_tools_group_ownership - status: automated -- id: RHEL-10-400310 - levels: - - medium - title: RHEL 10 must set the umask value to "077" for all local interactive user - accounts. - rules: - - accounts_umask_interactive_users - - var_accounts_user_umask=077 - status: automated -- id: RHEL-10-400315 - levels: - - medium - title: RHEL 10 must define default permissions for the bash shell. - rules: - - accounts_umask_etc_bashrc - - var_accounts_user_umask=077 - status: automated -- id: RHEL-10-400320 - levels: - - medium - title: RHEL 10 must define default permissions for the c shell. - rules: - - accounts_umask_etc_csh_cshrc - - var_accounts_user_umask=077 - status: automated -- id: RHEL-10-400325 - levels: - - medium - title: RHEL 10 must define default permissions for all authenticated users in such - a way that the user can read and modify only their own files. - rules: - - accounts_umask_etc_login_defs - - var_accounts_user_umask=077 - status: automated -- id: RHEL-10-400330 - levels: - - medium - title: RHEL 10 must define default permissions for the system default profile. - rules: - - accounts_umask_etc_profile - - var_accounts_user_umask=077 - status: automated -- id: RHEL-10-400335 - levels: - - medium - title: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles - have mode "0600" or less permissive. - rules: - - rootfiles_configured - status: automated -- id: RHEL-10-400340 - levels: - - medium - title: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) - private host key files. - rules: - - file_permissions_sshd_private_key - status: automated -- id: RHEL-10-400345 - levels: - - medium - title: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" - file. - rules: - - file_groupowner_grub2_cfg - status: automated -- id: RHEL-10-400350 - levels: - - medium - title: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. - rules: - - file_owner_grub2_cfg - status: automated -- id: RHEL-10-400355 - levels: - - medium - title: RHEL 10 must prevent device files from being interpreted on file systems - that contain user home directories. - rules: - - mount_option_home_nodev - status: automated -- id: RHEL-10-400360 - levels: - - medium - title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being - executed on file systems that contain user home directories. - rules: - - mount_option_home_nosuid - status: automated -- id: RHEL-10-400365 - levels: - - medium - title: RHEL 10 must prevent code from being executed on file systems that contain - user home directories. - rules: - - mount_option_home_noexec - status: automated -- id: RHEL-10-400400 - levels: - - medium - title: RHEL 10 must mount "/var/log/audit" with the "nodev" option. - rules: - - mount_option_var_log_audit_nodev - status: automated -- id: RHEL-10-400405 - levels: - - medium - title: RHEL 10 must mount "/var/log/audit" with the "noexec" option. - rules: - - mount_option_var_log_audit_noexec - status: automated -- id: RHEL-10-400410 - levels: - - medium - title: RHEL 10 must mount "/var/log/audit" with the "nosuid" option. - rules: - - mount_option_var_log_audit_nosuid - status: automated -- id: RHEL-10-400450 - levels: - - medium - title: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. - rules: - - file_audit_tools_permissions - status: automated -- id: RHEL-10-400500 - levels: - - medium - title: RHEL 10 must prohibit local initialization files from executing world-writable - programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated -- id: RHEL-10-500000 - levels: - - medium - title: RHEL 10 must enable the systemd-journald service. - rules: - - service_systemd-journald_enabled - status: automated -- id: RHEL-10-500005 - levels: - - medium - title: RHEL 10 must enable auditing of processes that start prior to the audit daemon. - rules: - - grub2_audit_argument - status: automated -- id: RHEL-10-500010 - levels: - - medium - title: RHEL 10 must audit local events. - rules: - - auditd_local_events - status: automated -- id: RHEL-10-500015 - levels: - - medium - title: RHEL 10 must write audit records to disk. - rules: - - auditd_write_logs - status: automated -- id: RHEL-10-500020 - levels: - - medium - title: RHEL 10 must log username information when unsuccessful login attempts occur. - rules: - - accounts_passwords_pam_faillock_audit - status: automated -- id: RHEL-10-500025 - levels: - - medium - title: RHEL 10 must allow only the information system security manager (ISSM) (or - individuals or roles appointed by the ISSM) to select which auditable events are - to be audited. - rules: - - file_permissions_etc_audit_auditd - - file_permissions_etc_audit_rulesd - status: automated -- id: RHEL-10-500030 - levels: - - medium - title: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture - processes that start prior to the audit daemon. - rules: - - grub2_audit_backlog_limit_argument - - var_audit_backlog_limit=8192 - status: automated -- id: RHEL-10-500035 - levels: - - medium - title: RHEL 10 must take appropriate action when a critical audit processing failure - occurs. - rules: - - audit_rules_system_shutdown - - var_audit_failure_mode=panic - status: automated -- id: RHEL-10-500040 - levels: - - medium - title: RHEL 10 must take action when allocated audit record storage volume reaches - 75 percent of the audit record storage capacity. - rules: - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc - status: automated -- id: RHEL-10-500045 - levels: - - medium - title: RHEL 10 must label all off-loaded audit logs before sending them to the central - log server. - rules: - - auditd_name_format - - var_auditd_name_format=stig - status: automated -- id: RHEL-10-500100 - levels: - - low - title: RHEL 10 must allocate audit record storage capacity to store at least one - week's worth of audit records. - rules: - - auditd_audispd_configure_sufficiently_large_partition - - partition_for_var_log_audit - status: automated -- id: RHEL-10-500105 - levels: - - medium - title: RHEL 10 must take action when allocated audit record storage volume reaches - 95 percent of the audit record storage capacity. - rules: - - auditd_data_retention_admin_space_left_percentage - - var_auditd_admin_space_left_percentage=5pc - status: automated -- id: RHEL-10-500110 - levels: - - medium - title: RHEL 10 must take action when allocated audit record storage volume reaches - 95 percent of the repository maximum audit record storage capacity. - rules: - - auditd_data_retention_admin_space_left_action - - var_auditd_admin_space_left_action=single - status: automated -- id: RHEL-10-500115 - levels: - - medium - title: RHEL 10 must take appropriate action when the internal event queue is full. - rules: - - auditd_overflow_action - status: automated -- id: RHEL-10-500120 - levels: - - medium - title: RHEL 10 must produce audit records containing information to establish the - identity of any individual or process associated with the event. - rules: - - auditd_log_format - status: automated -- id: RHEL-10-500125 - levels: - - medium - title: RHEL 10 must periodically flush audit records to disk to ensure that audit - records are not lost. - rules: - - auditd_freq - - var_auditd_freq=100 - status: automated -- id: RHEL-10-500205 - levels: - - medium - title: RHEL 10 must notify the system administrator (SA) and information system - security officer (ISSO) (at a minimum) when allocated audit record storage volume - 75 percent utilization. - rules: - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_percentage - - var_auditd_space_left_action=email - - var_auditd_space_left_percentage=25pc - status: automated -- id: RHEL-10-500210 - levels: - - medium - title: RHEL 10 must notify the system administrator (SA) and/or information system - security officer (ISSO) (at a minimum) of an audit processing failure. - rules: - - auditd_data_retention_action_mail_acct - - var_auditd_action_mail_acct=root - status: automated -- id: RHEL-10-500215 - levels: - - medium - title: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the - server. - rules: - - sshd_set_loglevel_verbose - status: automated -- id: RHEL-10-500300 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "execve" system call. - rules: - - audit_rules_suid_privilege_function - status: automated -- id: RHEL-10-500310 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and - "lremovexattr" system calls. - rules: - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_lremovexattr - status: automated -- id: RHEL-10-500320 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of "umount" system calls. - rules: - - audit_rules_privileged_commands_umount - status: automated -- id: RHEL-10-500330 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chacl" command. - rules: - - audit_rules_execution_chacl - status: automated -- id: RHEL-10-500340 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setfacl" command. - rules: - - audit_rules_execution_setfacl - status: automated -- id: RHEL-10-500350 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chcon" command. - rules: - - audit_rules_execution_chcon - status: automated -- id: RHEL-10-500360 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "semanage" command. - rules: - - audit_rules_execution_semanage - status: automated -- id: RHEL-10-500370 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setfiles" command. - rules: - - audit_rules_execution_setfiles - status: automated -- id: RHEL-10-500380 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "setsebool" command. - rules: - - audit_rules_execution_setsebool - status: automated -- id: RHEL-10-500390 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" - system calls. - rules: - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - status: automated -- id: RHEL-10-500400 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "delete_module" system call. - rules: - - audit_rules_kernel_module_loading_delete - status: automated -- id: RHEL-10-500410 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "init_module" and "finit_module" system calls. - rules: - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_finit - status: automated -- id: RHEL-10-500420 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chage" command. - rules: - - audit_rules_privileged_commands_chage - status: automated -- id: RHEL-10-500430 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "chsh" command. - rules: - - audit_rules_privileged_commands_chsh - status: automated -- id: RHEL-10-500440 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "crontab" command. - rules: - - audit_rules_privileged_commands_crontab - status: automated -- id: RHEL-10-500450 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "gpasswd" command. - rules: - - audit_rules_privileged_commands_gpasswd - status: automated -- id: RHEL-10-500460 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "kmod" command. - rules: - - audit_rules_privileged_commands_kmod - status: automated -- id: RHEL-10-500470 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "newgrp" command. - rules: - - audit_rules_privileged_commands_newgrp - status: automated -- id: RHEL-10-500480 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "pam_timestamp_check" command. - rules: - - audit_rules_privileged_commands_pam_timestamp_check - status: automated -- id: RHEL-10-500490 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "passwd" command. - rules: - - audit_rules_privileged_commands_passwd - status: automated -- id: RHEL-10-500500 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "postdrop" command. - rules: - - audit_rules_privileged_commands_postdrop - status: automated -- id: RHEL-10-500510 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "postqueue" command. - rules: - - audit_rules_privileged_commands_postqueue - status: automated -- id: RHEL-10-500520 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the ssh-agent command. - rules: - - audit_rules_privileged_commands_ssh_agent - status: automated -- id: RHEL-10-500530 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "ssh-keysign" command. - rules: - - audit_rules_privileged_commands_ssh_keysign - status: automated -- id: RHEL-10-500540 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "su" command. - rules: - - audit_rules_privileged_commands_su - status: automated -- id: RHEL-10-500550 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "sudo" command. - rules: - - audit_rules_privileged_commands_sudo - status: automated -- id: RHEL-10-500560 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "sudoedit" command. - rules: - - audit_rules_privileged_commands_sudoedit - status: automated -- id: RHEL-10-500570 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "unix_chkpwd" command. - rules: - - audit_rules_privileged_commands_unix_chkpwd - status: automated -- id: RHEL-10-500580 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "unix_update" command. - rules: - - audit_rules_privileged_commands_unix_update - status: automated -- id: RHEL-10-500590 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "userhelper" command. - rules: - - audit_rules_privileged_commands_userhelper - status: automated -- id: RHEL-10-500600 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "usermod" command. - rules: - - audit_rules_privileged_commands_usermod - status: automated -- id: RHEL-10-500610 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "mount" command. - rules: - - audit_rules_media_export - notes: > - Confusing requirement, probably a bug in the DISA STIG - title mentions the - "mount" command but the example audit rule in the check and fixtext isn't - an audit rule watching a command, instead it watches the mount syscall. - The selected rule audit_rules_media_export watches the syscall. If the - command should be watched, the rule audit_rules_privileged_commands_mount - should be selected instead. - status: automated -- id: RHEL-10-500620 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "init" command. - rules: - - audit_privileged_commands_init - status: automated -- id: RHEL-10-500630 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "poweroff" command. - rules: - - audit_privileged_commands_poweroff - status: automated -- id: RHEL-10-500640 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "reboot" command. - rules: - - audit_privileged_commands_reboot - status: automated -- id: RHEL-10-500650 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the shutdown command. - rules: - - audit_privileged_commands_shutdown - status: automated -- id: RHEL-10-500660 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "umount" system call. - rules: - - audit_rules_dac_modification_umount - status: automated -- id: RHEL-10-500670 - levels: - - medium - title: RHEL 10 must generate audit records for successful and unsuccessful uses - of the "umount2" system call. - rules: - - audit_rules_dac_modification_umount2 - status: automated -- id: RHEL-10-500680 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/sudoers". - rules: - - audit_rules_sudoers - status: automated -- id: RHEL-10-500690 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect the "/etc/sudoers.d/" directory. - rules: - - audit_rules_sudoers_d - status: automated -- id: RHEL-10-500700 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/group". - rules: - - audit_rules_usergroup_modification_group - status: automated -- id: RHEL-10-500710 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/gshadow". - rules: - - audit_rules_usergroup_modification_gshadow - status: automated -- id: RHEL-10-500720 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/opasswd". - rules: - - audit_rules_usergroup_modification_opasswd - status: automated -- id: RHEL-10-500730 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/passwd". - rules: - - audit_rules_usergroup_modification_passwd - status: automated -- id: RHEL-10-500740 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/etc/shadow". - rules: - - audit_rules_usergroup_modification_shadow - status: automated -- id: RHEL-10-500750 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/var/log/faillock". - rules: - - audit_rules_login_events_faillock - status: automated -- id: RHEL-10-500760 - levels: - - medium - title: RHEL 10 must generate audit records for all account creations, modifications, - disabling, and termination events that affect "/var/log/lastlog". - rules: - - audit_rules_login_events_lastlog - status: automated -- id: RHEL-10-500780 - levels: - - medium - title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", - "fchmodat", and "fchmodat2" syscalls. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchmodat2 - status: automated -- id: RHEL-10-500790 - levels: - - medium - title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", - "fchownat", and "lchown" syscalls. - rules: - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - status: automated -- id: RHEL-10-500810 - levels: - - medium - title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", - "rmdir", "renameat", "renameat2", and "unlinkat" system calls. - rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_rmdir - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_renameat2 - - audit_rules_file_deletion_events_unlinkat - status: automated -- id: RHEL-10-600000 - levels: - - medium - title: RHEL 10 must require a boot loader superuser password. - rules: - - grub2_password - status: automated -- id: RHEL-10-600010 - levels: - - medium - title: RHEL 10 must require a unique superusers name upon booting into single-user - and maintenance modes. - rules: - - grub2_admin_username - status: automated -- id: RHEL-10-600020 - levels: - - medium - title: RHEL 10 must not assign an interactive login shell for system accounts. - rules: - - no_shelllogin_for_systemaccounts - status: automated -- id: RHEL-10-600100 - levels: - - medium - title: RHEL 10 must, for new users or password changes, have a 60-day maximum password - lifetime restriction for user account passwords in "/etc/login.defs". - rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=60 - status: automated -- id: RHEL-10-600110 - levels: - - medium - title: RHEL 10 must, for user account passwords, have a 60-day maximum password - lifetime restriction. - rules: - - accounts_password_set_max_life_existing - - var_accounts_maximum_age_login_defs=60 - status: automated -- id: RHEL-10-600120 - levels: - - medium - title: RHEL 10 must assign a home directory for local interactive user accounts - upon creation. - rules: - - accounts_have_homedir_login_defs - status: automated -- id: RHEL-10-600130 - levels: - - medium - title: RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive - users. - rules: - - account_unique_id - status: automated -- id: RHEL-10-600140 - levels: - - medium - title: RHEL 10 must automatically expire temporary accounts within 72 hours. - rules: - - account_temp_expire_date - status: automated -- id: RHEL-10-600150 - levels: - - medium - title: RHEL 10 must assign a primary group to all interactive users. - rules: - - gid_passwd_group_same - status: automated -- id: RHEL-10-600160 - levels: - - medium - title: RHEL 10 must disable account identifiers (individuals, groups, roles, and - devices) after 35 days of inactivity. - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=35 - status: automated -- id: RHEL-10-600170 - levels: - - medium - title: RHEL 10 must be configured so that all local interactive user initialization - file executable search path statements do not contain statements that will reference - a working directory other than user home directories. - rules: - - accounts_user_home_paths_only - status: automated -- id: RHEL-10-600180 - levels: - - medium - title: RHEL 10 must assign a home directory to all local interactive users in the - "/etc/passwd" file. - rules: - - accounts_user_interactive_home_directory_defined - status: automated -- id: RHEL-10-600190 - levels: - - medium - title: RHEL 10 must ensure that all local interactive user home directories defined - in the "/etc/passwd" file must exist. - rules: - - accounts_user_interactive_home_directory_exists - status: automated -- id: RHEL-10-600200 - levels: - - medium - title: RHEL 10 must enforce a delay of at least four seconds between login prompts - following a failed login attempt. - rules: - - accounts_logon_fail_delay - - var_accounts_fail_delay=4 - status: automated -- id: RHEL-10-600210 - levels: - - medium - title: RHEL 10 must enforce a 24-hours minimum password lifetime restriction for - passwords for new users or password changes in "/etc/login.defs". - rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - status: automated -- id: RHEL-10-600220 - levels: - - medium - title: RHEL 10 must enforce that passwords be created with a minimum of 15 characters. - rules: - - accounts_password_pam_minlen - - var_password_pam_minlen=15 - status: automated -- id: RHEL-10-600230 - levels: - - medium - title: RHEL 10 must enforce password complexity by requiring at least one special - character to be used. - rules: - - accounts_password_pam_ocredit - - var_password_pam_ocredit=1 - status: automated -- id: RHEL-10-600240 - levels: - - medium - title: RHEL 10 must enforce password complexity by requiring that at least one lowercase - character be used. - rules: - - accounts_password_pam_lcredit - - var_password_pam_lcredit=1 - status: automated -- id: RHEL-10-600250 - levels: - - medium - title: RHEL 10 must enforce password complexity by requiring that at least one uppercase - character be used. - rules: - - accounts_password_pam_ucredit - - var_password_pam_ucredit=1 - status: automated -- id: RHEL-10-600260 - levels: - - medium - title: RHEL 10 must require the change of at least eight characters when passwords - are changed. - rules: - - accounts_password_pam_difok - - var_password_pam_difok=8 - status: automated -- id: RHEL-10-600270 - levels: - - medium - title: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime - restriction in "/etc/shadow". - rules: - - accounts_password_set_min_life_existing - - var_accounts_minimum_age_login_defs=1 - status: automated -- id: RHEL-10-600280 - levels: - - medium - title: RHEL 10 must require the maximum number of repeating characters of the same - character class to be limited to four when passwords are changed. - rules: - - accounts_password_pam_maxclassrepeat - - var_password_pam_maxclassrepeat=4 - status: automated -- id: RHEL-10-600290 - levels: - - medium - title: RHEL 10 must require that the maximum number of repeating characters be limited - to three when passwords are changed. - rules: - - accounts_password_pam_maxrepeat - - var_password_pam_maxrepeat=3 - status: automated -- id: RHEL-10-600300 - levels: - - medium - title: RHEL 10 must require the change of at least four character classes when passwords - are changed. - rules: - - accounts_password_pam_minclass - - var_password_pam_minclass=4 - status: automated -- id: RHEL-10-600310 - levels: - - medium - title: RHEL 10 must enforce password complexity by requiring that at least one numeric - character be used. - rules: - - accounts_password_pam_dcredit - - var_password_pam_dcredit=1 - status: automated -- id: RHEL-10-600320 - levels: - - medium - title: RHEL 10 must prevent the use of dictionary words for passwords. - rules: - - accounts_password_pam_dictcheck - status: automated -- id: RHEL-10-600400 - levels: - - medium - title: RHEL 10 must allow only the root account to have unrestricted access to the - system. - rules: - - accounts_no_uid_except_zero - status: automated -- id: RHEL-10-600405 - levels: - - medium - title: RHEL 10 must enforce password complexity rules for the "root" account. - rules: - - accounts_password_pam_enforce_root - status: automated -- id: RHEL-10-600410 - levels: - - medium - title: RHEL 10 must automatically lock an account when three unsuccessful login - attempts occur. - rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - status: automated -- id: RHEL-10-600415 - levels: - - medium - title: RHEL 10 must automatically lock the root account until the root account is - released by an administrator when three unsuccessful login attempts occur during - a 15-minute time period. - rules: - - accounts_passwords_pam_faillock_deny_root - status: automated -- id: RHEL-10-600420 - levels: - - medium - title: RHEL 10 must automatically lock an account when three unsuccessful login - attempts occur during a 15-minute time period. - rules: - - accounts_passwords_pam_faillock_interval - - var_accounts_passwords_pam_faillock_fail_interval=900 - status: automated -- id: RHEL-10-600425 - levels: - - medium - title: RHEL 10 must maintain an account lock until the locked account is released - by an administrator. - rules: - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=never - status: automated -- id: RHEL-10-600430 - levels: - - medium - title: RHEL 10 must ensure account lockouts persist. - rules: - - accounts_passwords_pam_faillock_dir - status: automated -- id: RHEL-10-600450 - levels: - - medium - title: RHEL 10 must not have unauthorized accounts. - rules: - - accounts_authorized_local_users - - var_accounts_authorized_local_users_regex=rhel9 - status: automated - notes: > - TODO: create a RHEL 10 option in the var_accounts_authorized_local_users_regex variable -- id: RHEL-10-600455 - levels: - - medium - title: RHEL 10 must not allow blank or null passwords. - rules: - - no_empty_passwords - status: automated -- id: RHEL-10-600460 - levels: - - medium - title: RHEL 10 must not have accounts configured with blank or null passwords. - rules: - - no_empty_passwords_etc_shadow - status: automated -- id: RHEL-10-600470 - levels: - - medium - title: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". - rules: - - group_unique_id - status: automated -- id: RHEL-10-600475 - levels: - - low - title: RHEL 10 must limit the number of concurrent sessions to 10 for all accounts - and/or account types. - rules: - - accounts_max_concurrent_login_sessions - - var_accounts_max_concurrent_login_sessions=10 - status: automated -- id: RHEL-10-600485 - levels: - - medium - title: RHEL 10 must ensure the password complexity module in the system-auth file - is configured for three or fewer retries. - rules: - - accounts_password_pam_pwquality_retry - - var_password_pam_retry=3 - status: automated -- id: RHEL-10-600500 - levels: - - medium - title: RHEL 10 must restrict the use of the "su" command. - rules: - - use_pam_wheel_for_su - status: automated -- id: RHEL-10-600510 - levels: - - medium - title: RHEL 10 must be configured to not bypass password requirements for privilege - escalation. - rules: - - disallow_bypass_password_sudo - status: automated -- id: RHEL-10-600520 - levels: - - medium - title: RHEL 10 must restrict privilege elevation to authorized personnel. - rules: - - sudo_restrict_privilege_elevation_to_authorized - status: automated -- id: RHEL-10-600530 - levels: - - medium - title: RHEL 10 must require users to reauthenticate for privilege escalation. - rules: - - sudo_remove_no_authenticate - status: automated -- id: RHEL-10-600540 - levels: - - medium - title: RHEL 10 must require reauthentication when using the "sudo" command. - rules: - - sudo_require_reauthentication - - var_sudo_timestamp_timeout=always_prompt - status: automated -- id: RHEL-10-600550 - levels: - - medium - title: RHEL 10 must use the invoking user's password for privilege escalation when - using "sudo". - rules: - - sudoers_validate_passwd - status: automated -- id: RHEL-10-600560 - levels: - - high - title: RHEL 10 must require users to provide a password for privilege escalation. - rules: - - sudo_remove_nopasswd - status: automated -- id: RHEL-10-600600 - levels: - - medium - title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" - file. - rules: - - account_password_pam_faillock_system_auth - status: automated -- id: RHEL-10-600610 - levels: - - medium - title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" - file. - rules: - - account_password_pam_faillock_password_auth - status: automated -- id: RHEL-10-600620 - levels: - - medium - title: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" - file. - rules: - - accounts_password_pam_pwquality_password_auth - status: automated -- id: RHEL-10-600630 - levels: - - medium - title: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" - file. - rules: - - accounts_password_pam_pwquality_system_auth - status: automated -- id: RHEL-10-600640 - levels: - - high - title: RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for - SSHD. - rules: - - sshd_enable_pam - status: automated -- id: RHEL-10-600650 - levels: - - medium - title: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth - file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. - rules: - - set_password_hashing_algorithm_passwordauth - - var_password_hashing_algorithm_pam=sha512 - status: automated -- id: RHEL-10-600700 - levels: - - medium - title: RHEL 10 must be configured to use a sufficient number of hashing rounds for - the shadow password suite. - rules: - - accounts_password_pam_unix_rounds_system_auth - - var_password_pam_unix_rounds=100000 - status: automated -- id: RHEL-10-600710 - levels: - - medium - title: RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing - algorithm for system authentication by ensuring that the pam_unix.so module is - configured in the "system-auth" file. - rules: - - set_password_hashing_algorithm_systemauth - - var_password_hashing_algorithm_pam=sha512 - status: automated -- id: RHEL-10-600720 - levels: - - medium - title: RHEL 10 must be configured so that password-auth uses a sufficient number - of hashing rounds. - rules: - - accounts_password_pam_unix_rounds_password_auth - - var_password_pam_unix_rounds=100000 - status: automated -- id: RHEL-10-600730 - levels: - - high - title: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms - for all stored passwords. - rules: - - accounts_password_all_shadowed_sha512 - status: automated -- id: RHEL-10-600740 - levels: - - high - title: RHEL 10 must be configured to use the shadow file to store only encrypted - representations of passwords. - rules: - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 - status: automated -- id: RHEL-10-600750 - levels: - - high - title: RHEL 10 must be configured so that user and group account administration - utilities are configured to store only encrypted representations of passwords. - rules: - - set_password_hashing_algorithm_libuserconf - - var_password_hashing_algorithm_pam=sha512 - status: automated -- id: RHEL-10-700010 - levels: - - medium - title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner - before granting local or remote access to the system via a Secure Shell (SSH) - login. - rules: - - sshd_enable_warning_banner - status: automated -- id: RHEL-10-700020 - levels: - - medium - title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner - before granting local or remote access to the system via a graphical user login. - rules: - - dconf_gnome_login_banner_text - - dconf_login_banner_text=dod_banners - - dconf_login_banner_contents=dod_default - status: automated -- id: RHEL-10-700030 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the banner-message-enable setting - for the graphical user interface. - rules: - - dconf_gnome_banner_enabled - status: automated -- id: RHEL-10-700040 - levels: - - medium - title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner - before granting local or remote access to the system via a command line user login. - rules: - - banner_etc_issue - - login_banner_text=dod_banners - - login_banner_contents=dod_default - status: automated -- id: RHEL-10-700100 - levels: - - medium - title: RHEL 10 must prevent special devices on file systems that are imported via - Network File System (NFS). - rules: - - mount_option_nodev_remote_filesystems - status: automated -- id: RHEL-10-700105 - levels: - - medium - title: RHEL 10 must prevent code from being executed on file systems that are imported - via Network File System (NFS). - rules: - - mount_option_noexec_remote_filesystems - status: automated -- id: RHEL-10-700110 - levels: - - medium - title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being - executed on file systems that are imported via Network File System (NFS). - rules: - - mount_option_nosuid_remote_filesystems - status: automated -- id: RHEL-10-700115 - levels: - - medium - title: RHEL 10 must be configured so that the Network File System (NFS) is configured - to use RPCSEC_GSS. - rules: - - mount_option_krb_sec_remote_filesystems - status: automated -- id: RHEL-10-700120 - levels: - - medium - title: RHEL 10 must mount "/boot" with the "nodev" option. - rules: - - mount_option_boot_nodev - status: automated -- id: RHEL-10-700125 - levels: - - medium - title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being - executed on the "/boot" directory. - rules: - - mount_option_boot_nosuid - status: automated -- id: RHEL-10-700130 - levels: - - medium - title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being - executed on the "/boot/efi" directory. - rules: - - mount_option_boot_efi_nosuid - status: automated -- id: RHEL-10-700135 - levels: - - medium - title: RHEL 10 must mount "/dev/shm" with the "nodev" option. - rules: - - mount_option_dev_shm_nodev - status: automated -- id: RHEL-10-700140 - levels: - - medium - title: RHEL 10 must mount "/dev/shm" with the "noexec" option. - rules: - - mount_option_dev_shm_noexec - status: automated -- id: RHEL-10-700145 - levels: - - medium - title: RHEL 10 must mount "/dev/shm" with the "nosuid" option. - rules: - - mount_option_dev_shm_nosuid - status: automated -- id: RHEL-10-700150 - levels: - - medium - title: RHEL 10 must mount "/tmp" with the "nodev" option. - rules: - - mount_option_tmp_nodev - status: automated -- id: RHEL-10-700155 - levels: - - medium - title: RHEL 10 must mount "/tmp" with the "noexec" option. - rules: - - mount_option_tmp_noexec - status: automated -- id: RHEL-10-700160 - levels: - - medium - title: RHEL 10 must mount "/tmp" with the "nosuid" option. - rules: - - mount_option_tmp_nosuid - status: automated -- id: RHEL-10-700165 - levels: - - medium - title: RHEL 10 must mount "/var" with the "nodev" option. - rules: - - mount_option_var_nodev - status: automated -- id: RHEL-10-700170 - levels: - - medium - title: RHEL 10 must mount "/var/log" with the "nodev" option. - rules: - - mount_option_var_log_nodev - status: automated -- id: RHEL-10-700175 - levels: - - medium - title: RHEL 10 must mount "/var/log" with the "noexec" option. - rules: - - mount_option_var_log_noexec - status: automated -- id: RHEL-10-700180 - levels: - - medium - title: RHEL 10 must mount "/var/log" with the "nosuid" option. - rules: - - mount_option_var_log_nosuid - status: automated -- id: RHEL-10-700185 - levels: - - medium - title: RHEL 10 must mount "/var/tmp" with the "nodev" option. - rules: - - mount_option_var_tmp_nodev - status: automated -- id: RHEL-10-700190 - levels: - - medium - title: RHEL 10 must mount "/var/tmp" with the "noexec" option. - rules: - - mount_option_var_tmp_noexec - status: automated -- id: RHEL-10-700195 - levels: - - medium - title: RHEL 10 must mount "/var/tmp" with the "nosuid" option. - rules: - - mount_option_var_tmp_nosuid - status: automated -- id: RHEL-10-700200 - levels: - - medium - title: RHEL 10 must prevent special devices on nonroot local partitions. - rules: - - mount_option_nodev_nonroot_local_partitions - status: automated -- id: RHEL-10-700400 - levels: - - medium - title: RHEL 10 must enable the SELinux targeted policy. - rules: - - selinux_policytype - - var_selinux_policy_name=targeted - status: automated -- id: RHEL-10-700410 - levels: - - medium - title: RHEL 10 must elevate the SELinux context when an administrator calls the - sudo command. - rules: - - selinux_context_elevation_for_sudo - status: automated -- id: RHEL-10-700420 - levels: - - medium - title: RHEL 10 must use a Linux Security Module configured to enforce limits on - system services. - rules: - - selinux_state - - var_selinux_state=enforcing - status: automated -- id: RHEL-10-700430 - levels: - - medium - title: RHEL 10 must configure SELinux context type to allow the use of a nondefault - faillock tally directory. - rules: - - account_password_selinux_faillock_dir - status: automated -- id: RHEL-10-700500 - levels: - - medium - title: RHEL 10 must be configured so that Secure Shell (SSH) public host key files - have mode "0644" or less permissive. - rules: - - file_permissions_sshd_pub_key - status: automated -- id: RHEL-10-700510 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not - allow Generic Security Service Application Program Interface (GSSAPI) authentication. - rules: - - sshd_disable_gssapi_auth - status: automated -- id: RHEL-10-700520 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not - allow Kerberos authentication. - rules: - - sshd_disable_kerb_auth - status: automated -- id: RHEL-10-700530 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not - allow rhosts authentication. - rules: - - sshd_disable_rhosts - status: automated -- id: RHEL-10-700540 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not - allow known hosts authentication. - rules: - - sshd_disable_user_known_hosts - status: automated -- id: RHEL-10-700550 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables - remote X connections for interactive users. - rules: - - sshd_disable_x11_forwarding - status: automated -- id: RHEL-10-700560 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs - strict mode checking of home directory configuration files. - rules: - - sshd_enable_strictmodes - status: automated -- id: RHEL-10-700570 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays - the date and time of the last successful account login upon an SSH login. - rules: - - sshd_print_last_log - status: automated -- id: RHEL-10-700580 - levels: - - medium - title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents - remote hosts from connecting to the proxy display. - rules: - - sshd_x11_use_localhost - status: automated -- id: RHEL-10-700590 - levels: - - medium - title: RHEL 10 must be configured so that Secure Shell (SSH) server configuration - files' permissions are not modified. - rules: - - file_permissions_sshd_config - - directory_permissions_sshd_config_d - - file_permissions_sshd_drop_in_config - notes: > - TODO: STIG recommends to use rpm to verify the permissions. - status: automated -- id: RHEL-10-700600 - levels: - - medium - title: RHEL 10 must be configured so that SSHD accepts public key authentication. - rules: - - sshd_enable_pubkey_auth - status: automated -- id: RHEL-10-700610 - levels: - - medium - title: RHEL 10 must be configured so that SSHD does not allow blank passwords. - rules: - - sshd_disable_empty_passwords - status: automated -- id: RHEL-10-700620 - levels: - - medium - title: RHEL 10 must not permit direct logins to the root account using remote access - via Secure Shell (SSH). - rules: - - sshd_disable_root_login - status: automated -- id: RHEL-10-700630 - levels: - - medium - title: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login - to the system. - rules: - - disable_host_auth - status: automated -- id: RHEL-10-700640 - levels: - - high - title: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. - rules: - - sshd_do_not_permit_user_env - status: automated -- id: RHEL-10-700650 - levels: - - high - title: RHEL 10 must force a frequent session key renegotiation for Secure Shell - (SSH) connections to the server. - rules: - - sshd_rekey_limit - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - status: automated -- id: RHEL-10-700660 - levels: - - medium - title: RHEL 10 must be configured so that all network connections associated with - Secure Shell (SSH) traffic terminate after becoming unresponsive. - rules: - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - status: automated -- id: RHEL-10-700670 - levels: - - medium - title: RHEL 10 must forward mail from postmaster to the root account using a postfix - alias. - rules: - - postfix_client_configure_mail_alias_postmaster - status: automated -- id: RHEL-10-700680 - levels: - - medium - title: RHEL 10 must not have a "shosts.equiv" file on the system. - rules: - - no_host_based_files - status: automated -- id: RHEL-10-700690 - levels: - - medium - title: RHEL 10 must not have any ".shosts" files on the system. - rules: - - no_user_host_based_files - status: automated -- id: RHEL-10-700700 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the disabling of the graphical - user interface automount function. - rules: - - dconf_gnome_disable_automount_open - status: automated -- id: RHEL-10-700710 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the disabling of the graphical - user interface autorun function. - rules: - - dconf_gnome_disable_autorun - status: automated -- id: RHEL-10-700720 - levels: - - high - title: RHEL 10 must not allow unattended or automatic login via the graphical user - interface. - rules: - - gnome_gdm_disable_automatic_login - status: automated -- id: RHEL-10-700730 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the disabling of the graphical - user smart card removal action. - rules: - - dconf_gnome_lock_screen_on_smartcard_removal - status: automated -- id: RHEL-10-700740 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the screensaver lock-enabled - setting for the graphical user interface. - rules: - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_lock_locked - status: automated -- id: RHEL-10-700750 - levels: - - medium - title: RHEL 10 must automatically lock graphical user sessions after 15 minutes - of inactivity. - rules: - - dconf_gnome_screensaver_idle_delay - - inactivity_timeout_value=15_minutes - status: automated -- id: RHEL-10-700760 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the session idle-delay setting - for the graphical user interface. - rules: - - dconf_gnome_session_idle_user_locks - status: automated -- id: RHEL-10-700770 - levels: - - medium - title: RHEL 10 must initiate a session lock for graphical user interfaces when the - screensaver is activated. - rules: - - dconf_gnome_screensaver_lock_delay - - var_screensaver_lock_delay=5_seconds - status: automated -- id: RHEL-10-700780 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the session lock-delay setting - for the graphical user interface. - rules: - - dconf_gnome_screensaver_user_locks - status: automated -- id: RHEL-10-700790 - levels: - - medium - title: RHEL 10 must conceal, via the session lock, information previously visible - on the display with a publicly viewable image. - rules: - - dconf_gnome_screensaver_mode_blank - status: automated -- id: RHEL-10-700800 - levels: - - medium - title: RHEL 10 must ensure effective dconf policy matches the policy keyfiles. - rules: - - dconf_db_up_to_date - status: automated -- id: RHEL-10-700810 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting - for the graphical user interface. - rules: - - dconf_gnome_disable_restart_shutdown - status: automated -- id: RHEL-10-700820 - levels: - - medium - title: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings - for the graphical user interface. - rules: - - dconf_gnome_disable_ctrlaltdel_reboot - status: automated -- id: RHEL-10-700830 - levels: - - medium - title: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del - and cause a system to shut down or reboot. - rules: - - disable_ctrlaltdel_reboot - status: automated -- id: RHEL-10-700840 - levels: - - medium - title: RHEL 10 must disable the user list at login for graphical user interfaces. - rules: - - dconf_gnome_disable_user_list - status: automated -- id: RHEL-10-700850 - levels: - - medium - title: RHEL 10 must be configured to disable USB mass storage. - rules: - - kernel_module_usb-storage_disabled - status: automated -- id: RHEL-10-700860 - levels: - - medium - title: RHEL 10 must disable Bluetooth. - rules: - - kernel_module_bluetooth_disabled - status: automated -- id: RHEL-10-700870 - levels: - - medium - title: RHEL 10 must disable wireless network adapters. - rules: - - wireless_disable_interfaces - status: automated -- id: RHEL-10-700880 - levels: - - medium - title: RHEL 10 must disable the graphical user interface automounter unless required. - rules: - - dconf_gnome_disable_automount_open - status: automated -- id: RHEL-10-700890 - levels: - - low - title: RHEL 10 must disable the graphical user interface autorunner unless required. - rules: - - dconf_gnome_disable_autorun - status: automated -- id: RHEL-10-700900 - levels: - - medium - title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized - code execution. - rules: - - bios_enable_execution_restrictions - status: automated -- id: RHEL-10-700920 - levels: - - medium - title: RHEL 10 must automatically exit interactive command shell user sessions after - 15 minutes of inactivity. - rules: - - accounts_tmout - - var_accounts_tmout=15_min - status: automated -- id: RHEL-10-700930 - levels: - - medium - title: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) - daemon. - rules: - - sshd_set_idle_timeout - - sshd_idle_timeout_value=10_minutes - status: automated -- id: RHEL-10-700940 - levels: - - medium - title: RHEL 10 must not default to the graphical display manager unless approved. - rules: - - xwindows_runlevel_target - status: automated -- id: RHEL-10-700950 - levels: - - high - title: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. - rules: - - disable_ctrlaltdel_burstaction - status: automated -- id: RHEL-10-700960 - levels: - - high - title: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. - rules: - - disable_ctrlaltdel_reboot - status: automated -- id: RHEL-10-700980 - levels: - - medium - title: RHEL 10 must disable the ability of systemd to spawn an interactive boot - process. - rules: - - grub2_disable_interactive_boot - status: automated -- id: RHEL-10-700990 - levels: - - medium - title: RHEL 10 must disable virtual system calls. - rules: - - grub2_vsyscall_argument - status: automated -- id: RHEL-10-701000 - levels: - - medium - title: RHEL 10 must clear the page allocator to prevent use-after-free attacks. - rules: - - grub2_page_poison_argument - status: automated -- id: RHEL-10-701010 - levels: - - medium - title: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. - rules: - - grub2_init_on_free - status: automated -- id: RHEL-10-701020 - levels: - - medium - title: RHEL 10 must enable mitigations against processor-based vulnerabilities. - rules: - - grub2_pti_argument - status: automated -- id: RHEL-10-701030 - levels: - - medium - title: RHEL 10 must restrict access to the kernel message buffer. - rules: - - sysctl_kernel_dmesg_restrict - status: automated -- id: RHEL-10-701040 - levels: - - medium - title: RHEL 10 must prevent kernel profiling by nonprivileged users. - rules: - - sysctl_kernel_perf_event_paranoid - status: automated -- id: RHEL-10-701050 - levels: - - high - title: RHEL 10 must prevent the loading of a new kernel for later execution. - rules: - - sysctl_kernel_kexec_load_disabled - status: automated -- id: RHEL-10-701060 - levels: - - medium - title: RHEL 10 must restrict exposed kernel pointer address access. - rules: - - sysctl_kernel_kptr_restrict - status: automated -- id: RHEL-10-701070 - levels: - - medium - title: RHEL 10 must enable kernel parameters to enforce discretionary access control - (DAC) on hardlinks. - rules: - - sysctl_fs_protected_hardlinks - status: automated -- id: RHEL-10-701080 - levels: - - medium - title: RHEL 10 must enable kernel parameters to enforce discretionary access control - (DAC) on symlinks. - rules: - - sysctl_fs_protected_symlinks - status: automated -- id: RHEL-10-701090 - levels: - - medium - title: RHEL 10 must disable the "kernel.core_pattern". - rules: - - sysctl_kernel_core_pattern - status: automated -- id: RHEL-10-701100 - levels: - - medium - title: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel - module. - rules: - - kernel_module_can_disabled - status: automated -- id: RHEL-10-701110 - levels: - - medium - title: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel - module. - rules: - - kernel_module_sctp_disabled - status: automated -- id: RHEL-10-701120 - levels: - - medium - title: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel - module. - rules: - - kernel_module_tipc_disabled - status: automated -- id: RHEL-10-701130 - levels: - - medium - title: RHEL 10 must implement address space layout randomization (ASLR) to protect - its memory from unauthorized code execution. - rules: - - sysctl_kernel_randomize_va_space - status: automated -- id: RHEL-10-701140 - levels: - - medium - title: RHEL 10 must restrict usage of ptrace to descendant processes. - rules: - - sysctl_kernel_yama_ptrace_scope - status: automated -- id: RHEL-10-701150 - levels: - - medium - title: RHEL 10 must disable core dump backtraces. - rules: - - coredump_disable_backtraces - status: automated -- id: RHEL-10-701160 - levels: - - medium - title: RHEL 10 must disable storing core dumps. - rules: - - coredump_disable_storage - status: automated -- id: RHEL-10-701170 - levels: - - medium - title: RHEL 10 must disable core dumps for all users. - rules: - - disable_users_coredumps - status: automated -- id: RHEL-10-701180 - levels: - - medium - title: RHEL 10 must disable acquiring, saving, and processing core dumps. - rules: - - service_systemd-coredump_disabled - status: automated -- id: RHEL-10-701190 - levels: - - medium - title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized - code execution. - rules: - - sysctl_kernel_exec_shield - status: automated -- id: RHEL-10-701200 - levels: - - medium - title: RHEL 10 must disable the kdump service. - rules: - - service_kdump_disabled - status: automated -- id: RHEL-10-701210 - levels: - - medium - title: RHEL 10 must disable file system automount function unless required. - rules: - - service_autofs_disabled - status: automated -- id: RHEL-10-701220 - levels: - - medium - title: RHEL 10 must enable certificate-based smart card authentication. - rules: - - sssd_enable_smartcards - status: automated -- id: RHEL-10-701230 - levels: - - medium - title: RHEL 10 must implement certificate status checking for multifactor authentication. - rules: - - sssd_certificate_verification - - var_sssd_certificate_verification_digest_function=sha512 - status: automated -- id: RHEL-10-701240 - levels: - - medium - title: RHEL 10 must, for PKI-based authentication, enforce authorized access to - the corresponding private key. - rules: - - ssh_keys_passphrase_protected - status: automated -- id: RHEL-10-701250 - levels: - - medium - title: RHEL 10 must require authentication to access emergency mode. - rules: - - require_emergency_target_auth - status: automated -- id: RHEL-10-701260 - levels: - - medium - title: RHEL 10 must require authentication to access single-user mode. - rules: - - require_singleuser_auth - status: automated -- id: RHEL-10-701270 - levels: - - medium - title: RHEL 10 must, for PKI-based authentication, validate certificates by constructing - a certification path (which includes status information) to an accepted trust - anchor. - rules: - - sssd_has_trust_anchor - status: automated -- id: RHEL-10-701280 - levels: - - medium - title: RHEL 10 must map the authenticated identity to the user or group account - for public key infrastructure (PKI)-based authentication. - rules: - - sssd_enable_certmap - status: automated -- id: RHEL-10-701290 - levels: - - medium - title: RHEL 10 must prohibit the use of cached authenticators after one day. - rules: - - sssd_offline_cred_expiration - status: automated -- id: RHEL-10-800000 - levels: - - medium - title: RHEL 10 must control remote access methods. - rules: - - configure_firewalld_ports - status: automated -- id: RHEL-10-800010 - levels: - - medium - title: RHEL 10 must be configured to prohibit or restrict the use of functions, - ports, protocols, and/or services, as defined in the Ports, Protocols, and Services - Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. - rules: - - firewalld_sshd_port_enabled - status: automated -- id: RHEL-10-800020 - levels: - - medium - title: RHEL 10 must enforce that network interfaces not be in promiscuous mode. - rules: - - network_sniffer_disabled - status: automated -- id: RHEL-10-800030 - levels: - - medium - title: RHEL 10 must disable access to the network bpf system call from nonprivileged - processes. - rules: - - sysctl_kernel_unprivileged_bpf_disabled - status: automated -- id: RHEL-10-800040 - levels: - - medium - title: RHEL 10 must securely compare internal information system clocks at least - every 24 hours. - rules: - - chronyd_or_ntpd_set_maxpoll - - chronyd_server_directive - - chronyd_specify_remote_server - - var_multiple_time_servers=stig - - var_time_service_set_maxpoll=18_hours - status: automated -- id: RHEL-10-800050 - levels: - - medium - title: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time - compiler. - rules: - - sysctl_net_core_bpf_jit_harden - status: automated -- id: RHEL-10-800060 - levels: - - medium - title: RHEL 10 must have at least two name servers configured for systems using - Domain Name Server (DNS) resolution. - rules: - - network_configure_name_resolution - status: automated -- id: RHEL-10-800070 - levels: - - medium - title: RHEL 10 must not have unauthorized IP tunnels configured. - rules: - - libreswan_approved_tunnels - status: automated -- id: RHEL-10-800080 - levels: - - medium - title: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. - rules: - - sysctl_net_ipv4_tcp_syncookies - status: automated -- id: RHEL-10-800090 - levels: - - medium - title: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message - Protocol (ICMP) redirect messages. - rules: - - sysctl_net_ipv4_conf_all_accept_redirects - status: automated -- id: RHEL-10-800100 - levels: - - medium - title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed - packets. - rules: - - sysctl_net_ipv4_conf_all_accept_source_route - status: automated -- id: RHEL-10-800110 - levels: - - medium - title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible - addresses. - rules: - - sysctl_net_ipv4_conf_all_log_martians - status: automated -- id: RHEL-10-800120 - levels: - - medium - title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible - addresses by default. - rules: - - sysctl_net_ipv4_conf_default_log_martians - status: automated -- id: RHEL-10-800130 - levels: - - medium - title: RHEL 10 must use reverse path filtering on all Internet Protocol version - 4 (IPv4) interfaces. - rules: - - sysctl_net_ipv4_conf_all_rp_filter - status: automated -- id: RHEL-10-800140 - levels: - - medium - title: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control - Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv4_conf_default_accept_redirects - status: automated -- id: RHEL-10-800150 - levels: - - medium - title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed - packets by default. - rules: - - sysctl_net_ipv4_conf_default_accept_source_route - status: automated -- id: RHEL-10-800160 - levels: - - medium - title: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) - network traffic when possible by default. - rules: - - sysctl_net_ipv4_conf_default_rp_filter - status: automated -- id: RHEL-10-800170 - levels: - - medium - title: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes - sent to a broadcast address. - rules: - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - status: automated -- id: RHEL-10-800180 - levels: - - medium - title: RHEL 10 must limit the number of bogus Internet Control Message Protocol - (ICMP) response errors logs. - rules: - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - status: automated -- id: RHEL-10-800190 - levels: - - medium - title: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. - rules: - - sysctl_net_ipv4_conf_all_send_redirects - status: automated -- id: RHEL-10-800200 - levels: - - medium - title: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol - (ICMP) redirects by default. - rules: - - sysctl_net_ipv4_conf_default_send_redirects - status: automated -- id: RHEL-10-800210 - levels: - - medium - title: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding - unless the system is a router. - rules: - - sysctl_net_ipv4_conf_all_forwarding - status: automated -- id: RHEL-10-800220 - levels: - - medium - title: RHEL 10 must not accept router advertisements on all Internet Protocol version - 6 (IPv6) interfaces. - rules: - - sysctl_net_ipv6_conf_all_accept_ra - status: automated -- id: RHEL-10-800230 - levels: - - medium - title: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect - messages. - rules: - - sysctl_net_ipv6_conf_all_accept_redirects - status: automated -- id: RHEL-10-800240 - levels: - - medium - title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed - packets. - rules: - - sysctl_net_ipv6_conf_all_accept_source_route - status: automated -- id: RHEL-10-800250 - levels: - - medium - title: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding - unless the system is a router. - rules: - - sysctl_net_ipv6_conf_all_forwarding - status: automated -- id: RHEL-10-800260 - levels: - - medium - title: RHEL 10 must not accept router advertisements on all Internet Protocol version - 6 (IPv6) interfaces by default. - rules: - - sysctl_net_ipv6_conf_default_accept_ra - status: automated -- id: RHEL-10-800270 - levels: - - medium - title: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control - Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv6_conf_default_accept_redirects - status: automated -- id: RHEL-10-800280 - levels: - - medium - title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed - packets by default. - rules: - - sysctl_net_ipv6_conf_default_accept_source_route - status: automated -- id: RHEL-10-800290 - levels: - - medium - title: RHEL 10 must protect against or limit the effects of denial-of-service (DoS) - attacks by ensuring that rate-limiting measures on impacted network interfaces - are implemented. - rules: - - firewalld-backend - related_rules: - - sysctl_net_ipv4_tcp_invalid_ratelimit - - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred - notes: > - TODO: resolve mismatch of title and description - status: automated -- id: RHEL-10-800300 - levels: - - medium - title: RHEL 10 must configure a DNS processing mode in Network Manager to avoid - conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries - to untrusted networks. - rules: - - networkmanager_dns_mode - - var_networkmanager_dns_mode=explicit_default - status: automated -- id: RHEL-10-800310 - levels: - - medium - title: RHEL 10 must be configured to operate in secure mode if the Trivial File - Transfer Protocol (TFTP) server service is required. - rules: - - tftp_uses_secure_mode_systemd - status: automated -- id: RHEL-10-900000 - levels: - - medium - title: RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" - file to prevent unauthorized access. - rules: - - file_permissions_etc_audit_auditd - status: automated -- id: RHEL-10-900100 - levels: - - medium - title: RHEL 10 must prevent unauthorized changes to the audit system. - rules: - - audit_rules_immutable - status: automated -- id: RHEL-10-001000 - levels: - - high - title: RHEL 10 must be a vendor-supported release. - rules: - - installed_OS_is_vendor_supported - status: automated + - id: RHEL-10-700970 + levels: + - medium + title: RHEL 10 must disable the debug-shell systemd service. + rules: + - service_debug-shell_disabled + status: automated + - id: RHEL-10-001020 + levels: + - medium + title: RHEL 10 must ensure cryptographic verification of vendor software packages. + rules: + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + status: automated + - id: RHEL-10-001030 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating + from external software repositories before installation. + rules: + - ensure_gpgcheck_globally_activated + status: automated + - id: RHEL-10-001040 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages + before installation. + rules: + - ensure_gpgcheck_local_packages + status: automated + - id: RHEL-10-001050 + levels: + - high + title: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software + repositories. + rules: + - enable_gpgcheck_for_all_repositories + status: automated + - id: RHEL-10-000510 + levels: + - high + title: RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + of all information on local disk partitions that requires at-rest protection. + rules: + - encrypt_partitions + status: automated + - id: RHEL-10-000520 + levels: + - low + title: RHEL 10 must use a separate file system for the system audit data path. + rules: + - partition_for_var_log_audit + status: automated + - id: RHEL-10-000530 + levels: + - medium + title: RHEL 10 must use a separate file system for user home directories (such as "/home" or an + equivalent). + rules: + - partition_for_home + status: automated + - id: RHEL-10-000540 + levels: + - medium + title: RHEL 10 must use a separate file system for "/tmp". + rules: + - partition_for_tmp + status: automated + - id: RHEL-10-000550 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var". + rules: + - partition_for_var + status: automated + - id: RHEL-10-000560 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/log". + rules: + - partition_for_var_log + status: automated + - id: RHEL-10-000570 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/tmp". + rules: + - partition_for_var_tmp + status: automated + - id: RHEL-10-200000 + levels: + - medium + title: RHEL 10 must remove all software components after updated versions have been installed. + rules: + - clean_components_post_updating + status: automated + - id: RHEL-10-200010 + levels: + - medium + title: RHEL 10 must not have the "nfs-utils" package installed. + rules: + - package_nfs-utils_removed + status: automated + - id: RHEL-10-200020 + levels: + - high + title: RHEL 10 must not have the "telnet-server" package installed. + rules: + - package_telnet-server_removed + status: automated + - id: RHEL-10-200030 + levels: + - medium + title: RHEL 10 must not have the "gssproxy" package installed. + rules: + - package_gssproxy_removed + status: automated + - id: RHEL-10-200040 + levels: + - medium + title: RHEL 10 must not have the tuned package installed. + rules: + - package_tuned_removed + status: automated + - id: RHEL-10-200050 + levels: + - medium + title: RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless + it is required by the mission, and if required, the TFTP daemon must be configured to operate + in secure mode. + rules: + - package_tftp-server_removed + status: automated + - id: RHEL-10-200060 + levels: + - medium + title: RHEL 10 must not have the unbound package installed. + rules: + - package_unbound_removed + status: automated + - id: RHEL-10-200070 + levels: + - high + title: RHEL 10 must not have the "tftp" package installed. + rules: + - package_tftp_removed + status: automated + - id: RHEL-10-200080 + levels: + - medium + title: RHEL 10 must not have the "gdm" package installed. + rules: + - package_gdm_removed + status: automated + - id: RHEL-10-200090 + levels: + - high + title: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. + rules: + - package_vsftpd_removed + status: automated + - id: RHEL-10-200500 + levels: + - medium + title: RHEL 10 must have the "subscription-manager" package installed. + rules: + - package_subscription-manager_installed + status: automated + - id: RHEL-10-200510 + levels: + - medium + title: RHEL 10 must have the "nss-tools" package installed. + rules: + - package_nss-tools_installed + status: automated + - id: RHEL-10-200520 + levels: + - medium + title: RHEL 10 must have the "s-nail" package installed. + rules: + - package_s-nail_installed + status: automated + - id: RHEL-10-200530 + levels: + - medium + title: RHEL 10 must have the "firewalld" package installed. + rules: + - package_firewalld_installed + status: automated + - id: RHEL-10-200531 + levels: + - medium + title: RHEL 10 must have the "firewalld" service set to active. + rules: + - service_firewalld_enabled + status: automated + - id: RHEL-10-200532 + levels: + - medium + title: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other + systems. + rules: + - configured_firewalld_default_deny + related_rules: + - set_firewalld_default_zone + status: automated + - id: RHEL-10-200540 + levels: + - medium + title: RHEL 10 must have the "chrony" package installed. + rules: + - package_chrony_installed + status: automated + - id: RHEL-10-200541 + levels: + - medium + title: RHEL 10 must enable the chronyd service. + rules: + - service_chronyd_enabled + status: automated + - id: RHEL-10-200542 + levels: + - medium + title: RHEL 10 must disable the chrony daemon from acting as a server. + rules: + - chronyd_client_only + status: automated + - id: RHEL-10-200543 + levels: + - medium + title: RHEL 10 must disable network management of the chrony daemon. + rules: + - chronyd_no_chronyc_network + status: automated + - id: RHEL-10-200560 + levels: + - medium + title: RHEL 10 must have the USBGuard package installed. + rules: + - package_usbguard_installed + status: automated + - id: RHEL-10-200561 + levels: + - medium + title: RHEL 10 must have the USBGuard package enabled. + rules: + - service_usbguard_enabled + status: automated + - id: RHEL-10-200562 + levels: + - medium + title: RHEL 10 must block unauthorized peripherals before establishing a connection. + rules: + - usbguard_generate_policy + status: automated + - id: RHEL-10-200563 + levels: + - medium + title: RHEL 10 must enable audit logging for the USBGuard daemon. + rules: + - configure_usbguard_auditbackend + status: automated + - id: RHEL-10-200570 + levels: + - medium + title: RHEL 10 must have the "policycoreutils" package installed. + rules: + - package_policycoreutils_installed + status: automated + - id: RHEL-10-200580 + levels: + - medium + title: RHEL 10 must have the "policycoreutils-python-utils" package installed. + rules: + - package_policycoreutils-python-utils_installed + status: automated + - id: RHEL-10-200590 + levels: + - medium + title: RHEL 10 must have the "sudo" package installed. + rules: + - package_sudo_installed + status: automated + - id: RHEL-10-200600 + levels: + - medium + title: RHEL 10 must have the "fapolicy" module installed. + rules: + - package_fapolicyd_installed + status: automated + - id: RHEL-10-200601 + levels: + - medium + title: RHEL 10 must enable the "fapolicy" module. + rules: + - service_fapolicyd_enabled + status: automated + - id: RHEL-10-200602 + levels: + - medium + title: RHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the + execution of authorized software programs. + rules: + - fapolicy_default_deny + status: automated + - id: RHEL-10-200610 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite" package installed. + rules: + - package_pcsc-lite_installed + status: automated + - id: RHEL-10-200611 + levels: + - medium + title: RHEL 10 must have the "pcscd" service set to active. + rules: + - service_pcscd_enabled + status: automated + - id: RHEL-10-200612 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite-ccid" package installed. + rules: + - package_pcsc-lite-ccid_installed + status: automated + - id: RHEL-10-200620 + levels: + - medium + title: RHEL 10 must have the "opensc" package installed. + rules: + - package_opensc_installed + status: automated + - id: RHEL-10-200621 + levels: + - medium + title: RHEL 10 must use the common access card (CAC) smart card driver. + rules: + - configure_opensc_card_drivers + - var_smartcard_drivers=cac + status: automated + - id: RHEL-10-200630 + levels: + - medium + title: RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed. + rules: + - package_aide_installed + status: automated + - id: RHEL-10-200631 + levels: + - high + title: RHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools. + rules: + - aide_check_audit_tools + status: automated + - id: RHEL-10-200632 + levels: + - medium + title: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic + hashes for validating file contents and directories. + rules: + - aide_use_fips_hashes + status: automated + - id: RHEL-10-200633 + levels: + - medium + title: RHEL 10 must routinely check the baseline configuration for unauthorized changes and notify + the system administrator when anomalies in the operation of any security functions are discovered. + rules: + - aide_build_database + - aide_periodic_cron_checking + - aide_scan_notification + - aide_use_fips_hashes + - package_aide_installed + status: automated + - id: RHEL-10-200634 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists + (ACLs). + rules: + - aide_verify_acls + status: automated + - id: RHEL-10-200635 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies extended attributes. + rules: + - aide_verify_ext_attributes + status: automated + - id: RHEL-10-200640 + levels: + - medium + title: RHEL 10 must have the "rsyslog" package installed. + rules: + - package_rsyslog_installed + status: automated + - id: RHEL-10-200641 + levels: + - medium + title: RHEL 10 must have the rsyslog service set to active. + rules: + - service_rsyslog_enabled + status: automated + - id: RHEL-10-200642 + levels: + - medium + title: RHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) + to a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_remote_loghost + status: automated + - id: RHEL-10-200643 + levels: + - medium + title: RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from + other servers unless the server is being used for log aggregation. + rules: + - rsyslog_nolisten + status: automated + - id: RHEL-10-200644 + levels: + - medium + title: RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog". + rules: + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + status: automated + - id: RHEL-10-200645 + levels: + - medium + title: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or + media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdrivermode + status: automated + - id: RHEL-10-200646 + levels: + - medium + title: RHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto + a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_defaultnetstreamdriver + status: automated + - id: RHEL-10-200647 + levels: + - medium + title: RHEL 10 must monitor all remote access methods. + rules: + - rsyslog_remote_access_monitoring + status: automated + - id: RHEL-10-200648 + levels: + - medium + title: RHEL 10 must use cron logging. + rules: + - rsyslog_cron_logging + status: automated + - id: RHEL-10-200650 + levels: + - medium + title: RHEL 10 must have the packages required for encrypting off-loaded audit logs installed. + rules: + - package_rsyslog-gnutls_installed + status: automated + - id: RHEL-10-200660 + levels: + - medium + title: RHEL 10 must have the "audit" package installed. + rules: + - package_audit_installed + status: automated + - id: RHEL-10-200661 + levels: + - medium + title: RHEL 10 must enable the audit service. + rules: + - service_auditd_enabled + status: automated + - id: RHEL-10-200662 + levels: + - low + title: RHEL 10 must have the "audispd-plugins" package installed. + rules: + - package_audispd-plugins_installed + status: automated + - id: RHEL-10-200680 + levels: + - medium + title: RHEL 10 must have the "libreswan" package installed. + rules: + - package_libreswan_installed + status: automated + - id: RHEL-10-200690 + levels: + - medium + title: RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized + manner. + rules: + - package_postfix_installed + status: automated + - id: RHEL-10-200691 + levels: + - medium + title: RHEL 10 must have mail aliases to notify the information system security officer (ISSO) + and system administrator (SA) (at a minimum) of an audit processing failure. + rules: + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_postfix_root_mail_alias=mil_sysadmin + status: automated + - id: RHEL-10-200692 + levels: + - medium + title: RHEL 10 must be configured to prevent unrestricted mail relaying. + rules: + - postfix_prevent_unrestricted_relay + status: automated + - id: RHEL-10-200700 + levels: + - medium + title: RHEL 10 must have the "cronie" package installed. + rules: + - package_cron_installed + status: automated + - id: RHEL-10-200720 + levels: + - medium + title: RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems. + rules: + - package_openssh-server_installed + status: automated + - id: RHEL-10-200721 + levels: + - medium + title: RHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect + the confidentiality and integrity of transmitted and received information. + rules: + - service_sshd_enabled + status: automated + - id: RHEL-10-200722 + levels: + - medium + title: RHEL 10 must have the "openssh-clients" package installed. + rules: + - package_openssh-clients_installed + status: automated + - id: RHEL-10-200730 + levels: + - medium + title: RHEL 10 must have the "pkcs11-provider" package installed. + rules: + - install_smartcard_packages + status: automated + - id: RHEL-10-200740 + levels: + - medium + title: RHEL 10 must have the "gnutls-utils" package installed. + rules: + - package_gnutls-utils_installed + status: automated + - id: RHEL-10-300000 + levels: + - high + title: RHEL 10 must have the "crypto-policies" package installed. + rules: + - package_crypto-policies_installed + status: automated + - id: RHEL-10-300010 + levels: + - high + title: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. + rules: + - configure_crypto_policy + - var_system_crypto_policy=fips + status: automated + - id: RHEL-10-000500 + levels: + - high + title: RHEL 10 must enable FIPS mode. + rules: + - enable_fips_mode + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + status: automated + - id: RHEL-10-300030 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption + ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality + of SSH client connections. + rules: + - harden_sshd_ciphers_openssh_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel10 + status: automated + - id: RHEL-10-300040 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption + ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality + of SSH server connections. + rules: + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel10 + status: automated + - id: RHEL-10-300050 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message + Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to + protect the confidentiality of SSH client connections. + rules: + - harden_sshd_macs_openssh_conf_crypto_policy + - sshd_approved_macs=stig_rhel10 + status: automated + - id: RHEL-10-300060 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message + Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to + protect the confidentiality of SSH server connections. + rules: + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sshd_approved_macs=stig_rhel10 + status: automated + - id: RHEL-10-300070 + levels: + - high + title: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. + rules: + - configure_libreswan_crypto_policy + status: automated + - id: RHEL-10-300080 + levels: + - high + title: RHEL 10 must implement DOD-approved encryption in the bind package. + rules: + - configure_bind_crypto_policy + status: automated + - id: RHEL-10-300090 + levels: + - high + title: RHEL 10 cryptographic policy must not be overridden. + rules: + - configure_crypto_policy + - var_system_crypto_policy=fips + status: automated + - id: RHEL-10-400000 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is owned by root. + rules: + - file_owner_etc_group + status: automated + - id: RHEL-10-400005 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root". + rules: + - file_groupowner_etc_group + status: automated + - id: RHEL-10-400010 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". + rules: + - file_owner_backup_etc_group + status: automated + - id: RHEL-10-400015 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_group + status: automated + - id: RHEL-10-400020 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". + rules: + - file_owner_etc_gshadow + status: automated + - id: RHEL-10-400025 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root". + rules: + - file_groupowner_etc_gshadow + status: automated + - id: RHEL-10-400030 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". + rules: + - file_owner_backup_etc_gshadow + status: automated + - id: RHEL-10-400035 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_gshadow + status: automated + - id: RHEL-10-400040 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". + rules: + - file_owner_etc_passwd + status: automated + - id: RHEL-10-400045 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root". + rules: + - file_groupowner_etc_passwd + status: automated + - id: RHEL-10-400050 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". + rules: + - file_owner_backup_etc_passwd + status: automated + - id: RHEL-10-400055 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_passwd + status: automated + - id: RHEL-10-400060 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". + rules: + - file_owner_etc_shadow + status: automated + - id: RHEL-10-400065 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root". + rules: + - file_groupowner_etc_shadow + status: automated + - id: RHEL-10-400070 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". + rules: + - file_owner_backup_etc_shadow + status: automated + - id: RHEL-10-400075 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_shadow + status: automated + - id: RHEL-10-400080 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is owned by "root". + rules: + - file_owner_var_log + status: automated + - id: RHEL-10-400085 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root". + rules: + - file_groupowner_var_log + status: automated + - id: RHEL-10-400090 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/"messages file is owned by root. + rules: + - file_owner_var_log_messages + status: automated + - id: RHEL-10-400095 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root". + rules: + - file_groupowner_var_log_messages + status: automated + - id: RHEL-10-400100 + levels: + - medium + title: RHEL 10 must be configured so that system commands are owned by "root". + rules: + - file_ownership_binary_dirs + status: automated + - id: RHEL-10-400105 + levels: + - medium + title: RHEL 10 must be configured so that system commands are group-owned by root or a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated + - id: RHEL-10-400110 + levels: + - medium + title: RHEL 10 must be configured so that library files are owned by "root". + rules: + - file_ownership_library_dirs + status: automated + - id: RHEL-10-400115 + levels: + - medium + title: RHEL 10 must be configured so that library files are group-owned by "root" or a system account. + rules: + - root_permissions_syslibrary_files + status: automated + - id: RHEL-10-400120 + levels: + - medium + title: RHEL 10 must be configured so that library directories are owned by "root". + rules: + - dir_ownership_library_dirs + status: automated + - id: RHEL-10-400125 + levels: + - medium + title: RHEL 10 must be configured so that library directories are group-owned by "root" or a system + account. + rules: + - dir_group_ownership_library_dirs + status: automated + - id: RHEL-10-400130 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration file directories are owned by root. + rules: + - file_owner_cron_d + - file_owner_cron_daily + - file_owner_cron_hourly + - file_owner_cron_monthly + - file_owner_cron_weekly + - file_owner_crontab + - file_owner_cron_deny + status: automated + - id: RHEL-10-400135 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration files directories are group-owned + by root. + rules: + - file_groupowner_cron_d + - file_groupowner_cron_daily + - file_groupowner_cron_hourly + - file_groupowner_cron_monthly + - file_groupowner_cron_weekly + - file_groupowner_crontab + - file_groupowner_cron_deny + status: automated + - id: RHEL-10-400140 + levels: + - medium + title: RHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, + or an application user. + rules: + - dir_perms_world_writable_root_owned + status: automated + - id: RHEL-10-400145 + levels: + - medium + title: RHEL 10 must be configured so that all system device files are correctly labeled to prevent + unauthorized modification. + rules: + - selinux_all_devicefiles_labeled + status: automated + - id: RHEL-10-400150 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned + by "root". + rules: + - file_groupowner_sshd_config + - directory_groupowner_sshd_config_d + - file_groupowner_sshd_drop_in_config + status: automated + - id: RHEL-10-400155 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned + by "root". + rules: + - file_sshd_50_redhat_exists + - file_owner_sshd_config + - directory_owner_sshd_config_d + - file_owner_sshd_drop_in_config + notes: > + TODO: investigate if file_sshd_50_redhat_exists is a convenience rule or a prerequisite + or if it's superfluous and should be removed. + status: automated + - id: RHEL-10-400160 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories are group-owned by + the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated + - id: RHEL-10-400165 + levels: + - medium + title: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging + group to prevent unauthorized read access. + rules: + - file_group_ownership_var_log_audit + status: automated + - id: RHEL-10-400170 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized + read access. + rules: + - directory_ownership_var_log_audit + status: automated + - id: RHEL-10-400175 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access. + rules: + - file_ownership_var_log_audit_stig + status: automated + - id: RHEL-10-400180 + levels: + - medium + title: RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log + files to prevent unauthorized access. + rules: + - directory_group_ownership_var_log_audit + status: automated + - id: RHEL-10-400185 + levels: + - medium + title: RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized + access to the audit log. + rules: + - file_permissions_var_log_audit + status: automated + - id: RHEL-10-400190 + levels: + - medium + title: RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive + to prevent unauthorized read access. + rules: + - directory_permissions_var_log_audit + status: automated + - id: RHEL-10-400195 + levels: + - medium + title: RHEL 10 must enforce root ownership of the "/etc/audit/" directory. + rules: + - file_ownership_audit_configuration + status: automated + - id: RHEL-10-400200 + levels: + - medium + title: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. + rules: + - file_groupownership_audit_configuration + status: automated + - id: RHEL-10-400205 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for system commands. + rules: + - file_permissions_binary_dirs + status: automated + - id: RHEL-10-400210 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive on library directories. + rules: + - dir_permissions_library_dirs + status: automated + - id: RHEL-10-400215 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for library files. + rules: + - file_permissions_library_dirs + status: automated + - id: RHEL-10-400220 + levels: + - medium + title: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. + rules: + - file_permissions_var_log + status: automated + - id: RHEL-10-400225 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file. + rules: + - file_permissions_var_log_messages + status: automated + - id: RHEL-10-400230 + levels: + - medium + title: RHEL 10 must be configured to prohibit modification of permissions for cron configuration + files and directories from the operating system defaults. + rules: + - file_permissions_cron_d + - file_permissions_cron_daily + - file_permissions_cron_hourly + - file_permissions_cron_monthly + - file_permissions_cron_weekly + - file_permissions_crontab + status: automated + notes: > + TODO: STIG recommends to use rpm to verify that permissions match the operating system defaults. + - id: RHEL-10-400235 + levels: + - medium + title: RHEL 10 must enforce mode "0740" or less permissive for local initialization files. + rules: + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles + status: automated + - id: RHEL-10-400240 + levels: + - medium + title: RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories. + rules: + - file_permissions_home_directories + status: automated + - id: RHEL-10-400245 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent + unauthorized access. + rules: + - file_permissions_etc_group + status: automated + - id: RHEL-10-400250 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent + unauthorized access. + rules: + - file_permissions_backup_etc_group + status: automated + - id: RHEL-10-400255 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent + unauthorized access. + rules: + - file_permissions_etc_gshadow + status: automated + - id: RHEL-10-400260 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent + unauthorized access. + rules: + - file_permissions_backup_etc_gshadow + status: automated + - id: RHEL-10-400265 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent + unauthorized access. + rules: + - file_permissions_etc_passwd + status: automated + - id: RHEL-10-400270 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized + access. + rules: + - file_permissions_backup_etc_passwd + status: automated + - id: RHEL-10-400275 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized + access. + rules: + - file_permissions_backup_etc_shadow + status: automated + - id: RHEL-10-400280 + levels: + - medium + title: RHEL 10 must be configured so that a sticky bit is set on all public directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated + - id: RHEL-10-400285 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated + - id: RHEL-10-400290 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated + - id: RHEL-10-400295 + levels: + - medium + title: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access. + rules: + - file_permissions_etc_shadow + status: automated + - id: RHEL-10-400300 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are owned by "root". + rules: + - file_audit_tools_ownership + status: automated + - id: RHEL-10-400305 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are group-owned by "root". + rules: + - file_audit_tools_group_ownership + status: automated + - id: RHEL-10-400310 + levels: + - medium + title: RHEL 10 must set the umask value to "077" for all local interactive user accounts. + rules: + - accounts_umask_interactive_users + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400315 + levels: + - medium + title: RHEL 10 must define default permissions for the bash shell. + rules: + - accounts_umask_etc_bashrc + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400320 + levels: + - medium + title: RHEL 10 must define default permissions for the c shell. + rules: + - accounts_umask_etc_csh_cshrc + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400325 + levels: + - medium + title: RHEL 10 must define default permissions for all authenticated users in such a way that the + user can read and modify only their own files. + rules: + - accounts_umask_etc_login_defs + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400330 + levels: + - medium + title: RHEL 10 must define default permissions for the system default profile. + rules: + - accounts_umask_etc_profile + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400335 + levels: + - medium + title: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles + have mode "0600" or less permissive. + rules: + - rootfiles_configured + status: automated + - id: RHEL-10-400340 + levels: + - medium + title: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host + key files. + rules: + - file_permissions_sshd_private_key + status: automated + - id: RHEL-10-400345 + levels: + - medium + title: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file. + rules: + - file_groupowner_grub2_cfg + status: automated + - id: RHEL-10-400350 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. + rules: + - file_owner_grub2_cfg + status: automated + - id: RHEL-10-400355 + levels: + - medium + title: RHEL 10 must prevent device files from being interpreted on file systems that contain user + home directories. + rules: + - mount_option_home_nodev + status: automated + - id: RHEL-10-400360 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + file systems that contain user home directories. + rules: + - mount_option_home_nosuid + status: automated + - id: RHEL-10-400365 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that contain user home directories. + rules: + - mount_option_home_noexec + status: automated + - id: RHEL-10-400400 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nodev" option. + rules: + - mount_option_var_log_audit_nodev + status: automated + - id: RHEL-10-400405 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "noexec" option. + rules: + - mount_option_var_log_audit_noexec + status: automated + - id: RHEL-10-400410 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nosuid" option. + rules: + - mount_option_var_log_audit_nosuid + status: automated + - id: RHEL-10-400450 + levels: + - medium + title: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. + rules: + - file_audit_tools_permissions + status: automated + - id: RHEL-10-400500 + levels: + - medium + title: RHEL 10 must prohibit local initialization files from executing world-writable programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated + - id: RHEL-10-500000 + levels: + - medium + title: RHEL 10 must enable the systemd-journald service. + rules: + - service_systemd-journald_enabled + status: automated + - id: RHEL-10-500005 + levels: + - medium + title: RHEL 10 must enable auditing of processes that start prior to the audit daemon. + rules: + - grub2_audit_argument + status: automated + - id: RHEL-10-500010 + levels: + - medium + title: RHEL 10 must audit local events. + rules: + - auditd_local_events + status: automated + - id: RHEL-10-500015 + levels: + - medium + title: RHEL 10 must write audit records to disk. + rules: + - auditd_write_logs + status: automated + - id: RHEL-10-500020 + levels: + - medium + title: RHEL 10 must log username information when unsuccessful login attempts occur. + rules: + - accounts_passwords_pam_faillock_audit + status: automated + - id: RHEL-10-500025 + levels: + - medium + title: RHEL 10 must allow only the information system security manager (ISSM) (or individuals or + roles appointed by the ISSM) to select which auditable events are to be audited. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated + - id: RHEL-10-500030 + levels: + - medium + title: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that + start prior to the audit daemon. + rules: + - grub2_audit_backlog_limit_argument + - var_audit_backlog_limit=8192 + status: automated + - id: RHEL-10-500035 + levels: + - medium + title: RHEL 10 must take appropriate action when a critical audit processing failure occurs. + rules: + - audit_rules_system_shutdown + - var_audit_failure_mode=panic + status: automated + - id: RHEL-10-500040 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of + the audit record storage capacity. + rules: + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated + - id: RHEL-10-500045 + levels: + - medium + title: RHEL 10 must label all off-loaded audit logs before sending them to the central log server. + rules: + - auditd_name_format + - var_auditd_name_format=stig + status: automated + - id: RHEL-10-500100 + levels: + - low + title: RHEL 10 must allocate audit record storage capacity to store at least one week's worth of + audit records. + rules: + - auditd_audispd_configure_sufficiently_large_partition + - partition_for_var_log_audit + status: automated + - id: RHEL-10-500105 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of + the audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_percentage + - var_auditd_admin_space_left_percentage=5pc + status: automated + - id: RHEL-10-500110 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of + the repository maximum audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_action + - var_auditd_admin_space_left_action=single + status: automated + - id: RHEL-10-500115 + levels: + - medium + title: RHEL 10 must take appropriate action when the internal event queue is full. + rules: + - auditd_overflow_action + status: automated + - id: RHEL-10-500120 + levels: + - medium + title: RHEL 10 must produce audit records containing information to establish the identity of any + individual or process associated with the event. + rules: + - auditd_log_format + status: automated + - id: RHEL-10-500125 + levels: + - medium + title: RHEL 10 must periodically flush audit records to disk to ensure that audit records are not + lost. + rules: + - auditd_freq + - var_auditd_freq=100 + status: automated + - id: RHEL-10-500205 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and information system security officer + (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. + rules: + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated + - id: RHEL-10-500210 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and/or information system security officer + (ISSO) (at a minimum) of an audit processing failure. + rules: + - auditd_data_retention_action_mail_acct + - var_auditd_action_mail_acct=root + status: automated + - id: RHEL-10-500215 + levels: + - medium + title: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server. + rules: + - sshd_set_loglevel_verbose + status: automated + - id: RHEL-10-500300 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" + system call. + rules: + - audit_rules_suid_privilege_function + status: automated + - id: RHEL-10-500310 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", + "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. + rules: + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + status: automated + - id: RHEL-10-500320 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system + calls. + rules: + - audit_rules_privileged_commands_umount + status: automated + - id: RHEL-10-500330 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" + command. + rules: + - audit_rules_execution_chacl + status: automated + - id: RHEL-10-500340 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" + command. + rules: + - audit_rules_execution_setfacl + status: automated + - id: RHEL-10-500350 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" + command. + rules: + - audit_rules_execution_chcon + status: automated + - id: RHEL-10-500360 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" + command. + rules: + - audit_rules_execution_semanage + status: automated + - id: RHEL-10-500370 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" + command. + rules: + - audit_rules_execution_setfiles + status: automated + - id: RHEL-10-500380 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" + command. + rules: + - audit_rules_execution_setsebool + status: automated + - id: RHEL-10-500390 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", + "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. + rules: + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + status: automated + - id: RHEL-10-500400 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" + system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated + - id: RHEL-10-500410 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" + and "finit_module" system calls. + rules: + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_finit + status: automated + - id: RHEL-10-500420 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" + command. + rules: + - audit_rules_privileged_commands_chage + status: automated + - id: RHEL-10-500430 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command. + rules: + - audit_rules_privileged_commands_chsh + status: automated + - id: RHEL-10-500440 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" + command. + rules: + - audit_rules_privileged_commands_crontab + status: automated + - id: RHEL-10-500450 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" + command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated + - id: RHEL-10-500460 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command. + rules: + - audit_rules_privileged_commands_kmod + status: automated + - id: RHEL-10-500470 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" + command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated + - id: RHEL-10-500480 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" + command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated + - id: RHEL-10-500490 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" + command. + rules: + - audit_rules_privileged_commands_passwd + status: automated + - id: RHEL-10-500500 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" + command. + rules: + - audit_rules_privileged_commands_postdrop + status: automated + - id: RHEL-10-500510 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" + command. + rules: + - audit_rules_privileged_commands_postqueue + status: automated + - id: RHEL-10-500520 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent + command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated + - id: RHEL-10-500530 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" + command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated + - id: RHEL-10-500540 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command. + rules: + - audit_rules_privileged_commands_su + status: automated + - id: RHEL-10-500550 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command. + rules: + - audit_rules_privileged_commands_sudo + status: automated + - id: RHEL-10-500560 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" + command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated + - id: RHEL-10-500570 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" + command. + rules: + - audit_rules_privileged_commands_unix_chkpwd + status: automated + - id: RHEL-10-500580 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" + command. + rules: + - audit_rules_privileged_commands_unix_update + status: automated + - id: RHEL-10-500590 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" + command. + rules: + - audit_rules_privileged_commands_userhelper + status: automated + - id: RHEL-10-500600 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" + command. + rules: + - audit_rules_privileged_commands_usermod + status: automated + - id: RHEL-10-500610 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" + command. + rules: + - audit_rules_media_export + notes: > + Confusing requirement, probably a bug in the DISA STIG - title mentions the + "mount" command but the example audit rule in the check and fixtext isn't + an audit rule watching a command, instead it watches the mount syscall. + The selected rule audit_rules_media_export watches the syscall. If the + command should be watched, the rule audit_rules_privileged_commands_mount + should be selected instead. + status: automated + - id: RHEL-10-500620 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command. + rules: + - audit_privileged_commands_init + status: automated + - id: RHEL-10-500630 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" + command. + rules: + - audit_privileged_commands_poweroff + status: automated + - id: RHEL-10-500640 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" + command. + rules: + - audit_privileged_commands_reboot + status: automated + - id: RHEL-10-500650 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown + command. + rules: + - audit_privileged_commands_shutdown + status: automated + - id: RHEL-10-500660 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" + system call. + rules: + - audit_rules_dac_modification_umount + status: automated + - id: RHEL-10-500670 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" + system call. + rules: + - audit_rules_dac_modification_umount2 + status: automated + - id: RHEL-10-500680 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/sudoers". + rules: + - audit_rules_sudoers + status: automated + - id: RHEL-10-500690 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect the "/etc/sudoers.d/" directory. + rules: + - audit_rules_sudoers_d + status: automated + - id: RHEL-10-500700 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/group". + rules: + - audit_rules_usergroup_modification_group + status: automated + - id: RHEL-10-500710 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/gshadow". + rules: + - audit_rules_usergroup_modification_gshadow + status: automated + - id: RHEL-10-500720 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/opasswd". + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + - id: RHEL-10-500730 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/passwd". + rules: + - audit_rules_usergroup_modification_passwd + status: automated + - id: RHEL-10-500740 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/shadow". + rules: + - audit_rules_usergroup_modification_shadow + status: automated + - id: RHEL-10-500750 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/var/log/faillock". + rules: + - audit_rules_login_events_faillock + status: automated + - id: RHEL-10-500760 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/var/log/lastlog". + rules: + - audit_rules_login_events_lastlog + status: automated + - id: RHEL-10-500780 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and + "fchmodat2" syscalls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + status: automated + - id: RHEL-10-500790 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and + "lchown" syscalls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated + - id: RHEL-10-500810 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", + "renameat2", and "unlinkat" system calls. + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_unlinkat + status: automated + - id: RHEL-10-600000 + levels: + - medium + title: RHEL 10 must require a boot loader superuser password. + rules: + - grub2_password + status: automated + - id: RHEL-10-600010 + levels: + - medium + title: RHEL 10 must require a unique superusers name upon booting into single-user and maintenance + modes. + rules: + - grub2_admin_username + status: automated + - id: RHEL-10-600020 + levels: + - medium + title: RHEL 10 must not assign an interactive login shell for system accounts. + rules: + - no_shelllogin_for_systemaccounts + status: automated + - id: RHEL-10-600100 + levels: + - medium + title: RHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime + restriction for user account passwords in "/etc/login.defs". + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated + - id: RHEL-10-600110 + levels: + - medium + title: RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction. + rules: + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated + - id: RHEL-10-600120 + levels: + - medium + title: RHEL 10 must assign a home directory for local interactive user accounts upon creation. + rules: + - accounts_have_homedir_login_defs + status: automated + - id: RHEL-10-600130 + levels: + - medium + title: RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users. + rules: + - account_unique_id + status: automated + - id: RHEL-10-600140 + levels: + - medium + title: RHEL 10 must automatically expire temporary accounts within 72 hours. + rules: + - account_temp_expire_date + status: automated + - id: RHEL-10-600150 + levels: + - medium + title: RHEL 10 must assign a primary group to all interactive users. + rules: + - gid_passwd_group_same + status: automated + - id: RHEL-10-600160 + levels: + - medium + title: RHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after + 35 days of inactivity. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated + - id: RHEL-10-600170 + levels: + - medium + title: RHEL 10 must be configured so that all local interactive user initialization file executable + search path statements do not contain statements that will reference a working directory other + than user home directories. + rules: + - accounts_user_home_paths_only + status: automated + - id: RHEL-10-600180 + levels: + - medium + title: RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" + file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated + - id: RHEL-10-600190 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" + file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated + - id: RHEL-10-600200 + levels: + - medium + title: RHEL 10 must enforce a delay of at least four seconds between login prompts following a + failed login attempt. + rules: + - accounts_logon_fail_delay + - var_accounts_fail_delay=4 + status: automated + - id: RHEL-10-600210 + levels: + - medium + title: RHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for + new users or password changes in "/etc/login.defs". + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + status: automated + - id: RHEL-10-600220 + levels: + - medium + title: RHEL 10 must enforce that passwords be created with a minimum of 15 characters. + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated + - id: RHEL-10-600230 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring at least one special character to + be used. + rules: + - accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated + - id: RHEL-10-600240 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one lowercase character + be used. + rules: + - accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated + - id: RHEL-10-600250 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one uppercase character + be used. + rules: + - accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated + - id: RHEL-10-600260 + levels: + - medium + title: RHEL 10 must require the change of at least eight characters when passwords are changed. + rules: + - accounts_password_pam_difok + - var_password_pam_difok=8 + status: automated + - id: RHEL-10-600270 + levels: + - medium + title: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in + "/etc/shadow". + rules: + - accounts_password_set_min_life_existing + - var_accounts_minimum_age_login_defs=1 + status: automated + - id: RHEL-10-600280 + levels: + - medium + title: RHEL 10 must require the maximum number of repeating characters of the same character class + to be limited to four when passwords are changed. + rules: + - accounts_password_pam_maxclassrepeat + - var_password_pam_maxclassrepeat=4 + status: automated + - id: RHEL-10-600290 + levels: + - medium + title: RHEL 10 must require that the maximum number of repeating characters be limited to three + when passwords are changed. + rules: + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 + status: automated + - id: RHEL-10-600300 + levels: + - medium + title: RHEL 10 must require the change of at least four character classes when passwords are changed. + rules: + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + status: automated + - id: RHEL-10-600310 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one numeric character + be used. + rules: + - accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated + - id: RHEL-10-600320 + levels: + - medium + title: RHEL 10 must prevent the use of dictionary words for passwords. + rules: + - accounts_password_pam_dictcheck + status: automated + - id: RHEL-10-600400 + levels: + - medium + title: RHEL 10 must allow only the root account to have unrestricted access to the system. + rules: + - accounts_no_uid_except_zero + status: automated + - id: RHEL-10-600405 + levels: + - medium + title: RHEL 10 must enforce password complexity rules for the "root" account. + rules: + - accounts_password_pam_enforce_root + status: automated + - id: RHEL-10-600410 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur. + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + status: automated + - id: RHEL-10-600415 + levels: + - medium + title: RHEL 10 must automatically lock the root account until the root account is released by an + administrator when three unsuccessful login attempts occur during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_deny_root + status: automated + - id: RHEL-10-600420 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur + during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_fail_interval=900 + status: automated + - id: RHEL-10-600425 + levels: + - medium + title: RHEL 10 must maintain an account lock until the locked account is released by an administrator. + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated + - id: RHEL-10-600430 + levels: + - medium + title: RHEL 10 must ensure account lockouts persist. + rules: + - accounts_passwords_pam_faillock_dir + status: automated + - id: RHEL-10-600450 + levels: + - medium + title: RHEL 10 must not have unauthorized accounts. + rules: + - accounts_authorized_local_users + - var_accounts_authorized_local_users_regex=rhel9 + status: automated + notes: > + TODO: create a RHEL 10 option in the var_accounts_authorized_local_users_regex variable + - id: RHEL-10-600455 + levels: + - medium + title: RHEL 10 must not allow blank or null passwords. + rules: + - no_empty_passwords + status: automated + - id: RHEL-10-600460 + levels: + - medium + title: RHEL 10 must not have accounts configured with blank or null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated + - id: RHEL-10-600470 + levels: + - medium + title: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". + rules: + - group_unique_id + status: automated + - id: RHEL-10-600475 + levels: + - low + title: RHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account + types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated + - id: RHEL-10-600485 + levels: + - medium + title: RHEL 10 must ensure the password complexity module in the system-auth file is configured + for three or fewer retries. + rules: + - accounts_password_pam_pwquality_retry + - var_password_pam_retry=3 + status: automated + - id: RHEL-10-600500 + levels: + - medium + title: RHEL 10 must restrict the use of the "su" command. + rules: + - use_pam_wheel_for_su + status: automated + - id: RHEL-10-600510 + levels: + - medium + title: RHEL 10 must be configured to not bypass password requirements for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated + - id: RHEL-10-600520 + levels: + - medium + title: RHEL 10 must restrict privilege elevation to authorized personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated + - id: RHEL-10-600530 + levels: + - medium + title: RHEL 10 must require users to reauthenticate for privilege escalation. + rules: + - sudo_remove_no_authenticate + status: automated + - id: RHEL-10-600540 + levels: + - medium + title: RHEL 10 must require reauthentication when using the "sudo" command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated + - id: RHEL-10-600550 + levels: + - medium + title: RHEL 10 must use the invoking user's password for privilege escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated + - id: RHEL-10-600560 + levels: + - high + title: RHEL 10 must require users to provide a password for privilege escalation. + rules: + - sudo_remove_nopasswd + status: automated + - id: RHEL-10-600600 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" + file. + rules: + - account_password_pam_faillock_system_auth + status: automated + - id: RHEL-10-600610 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" + file. + rules: + - account_password_pam_faillock_password_auth + status: automated + - id: RHEL-10-600620 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file. + rules: + - accounts_password_pam_pwquality_password_auth + status: automated + - id: RHEL-10-600630 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file. + rules: + - accounts_password_pam_pwquality_system_auth + status: automated + - id: RHEL-10-600640 + levels: + - high + title: RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD. + rules: + - sshd_enable_pam + status: automated + - id: RHEL-10-600650 + levels: + - medium + title: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file + to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. + rules: + - set_password_hashing_algorithm_passwordauth + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-600700 + levels: + - medium + title: RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password + suite. + rules: + - accounts_password_pam_unix_rounds_system_auth + - var_password_pam_unix_rounds=100000 + status: automated + - id: RHEL-10-600710 + levels: + - medium + title: RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm + for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" + file. + rules: + - set_password_hashing_algorithm_systemauth + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-600720 + levels: + - medium + title: RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_password_auth + - var_password_pam_unix_rounds=100000 + status: automated + - id: RHEL-10-600730 + levels: + - high + title: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored + passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated + - id: RHEL-10-600740 + levels: + - high + title: RHEL 10 must be configured to use the shadow file to store only encrypted representations + of passwords. + rules: + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + status: automated + - id: RHEL-10-600750 + levels: + - high + title: RHEL 10 must be configured so that user and group account administration utilities are configured + to store only encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_libuserconf + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-700010 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a Secure Shell (SSH) login. + rules: + - sshd_enable_warning_banner + status: automated + - id: RHEL-10-700020 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a graphical user login. + rules: + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated + - id: RHEL-10-700030 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical + user interface. + rules: + - dconf_gnome_banner_enabled + status: automated + - id: RHEL-10-700040 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a command line user login. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated + - id: RHEL-10-700100 + levels: + - medium + title: RHEL 10 must prevent special devices on file systems that are imported via Network File + System (NFS). + rules: + - mount_option_nodev_remote_filesystems + status: automated + - id: RHEL-10-700105 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that are imported via Network + File System (NFS). + rules: + - mount_option_noexec_remote_filesystems + status: automated + - id: RHEL-10-700110 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + file systems that are imported via Network File System (NFS). + rules: + - mount_option_nosuid_remote_filesystems + status: automated + - id: RHEL-10-700115 + levels: + - medium + title: RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. + rules: + - mount_option_krb_sec_remote_filesystems + status: automated + - id: RHEL-10-700120 + levels: + - medium + title: RHEL 10 must mount "/boot" with the "nodev" option. + rules: + - mount_option_boot_nodev + status: automated + - id: RHEL-10-700125 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + the "/boot" directory. + rules: + - mount_option_boot_nosuid + status: automated + - id: RHEL-10-700130 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + the "/boot/efi" directory. + rules: + - mount_option_boot_efi_nosuid + status: automated + - id: RHEL-10-700135 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nodev" option. + rules: + - mount_option_dev_shm_nodev + status: automated + - id: RHEL-10-700140 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "noexec" option. + rules: + - mount_option_dev_shm_noexec + status: automated + - id: RHEL-10-700145 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nosuid" option. + rules: + - mount_option_dev_shm_nosuid + status: automated + - id: RHEL-10-700150 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nodev" option. + rules: + - mount_option_tmp_nodev + status: automated + - id: RHEL-10-700155 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "noexec" option. + rules: + - mount_option_tmp_noexec + status: automated + - id: RHEL-10-700160 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nosuid" option. + rules: + - mount_option_tmp_nosuid + status: automated + - id: RHEL-10-700165 + levels: + - medium + title: RHEL 10 must mount "/var" with the "nodev" option. + rules: + - mount_option_var_nodev + status: automated + - id: RHEL-10-700170 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nodev" option. + rules: + - mount_option_var_log_nodev + status: automated + - id: RHEL-10-700175 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "noexec" option. + rules: + - mount_option_var_log_noexec + status: automated + - id: RHEL-10-700180 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nosuid" option. + rules: + - mount_option_var_log_nosuid + status: automated + - id: RHEL-10-700185 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nodev" option. + rules: + - mount_option_var_tmp_nodev + status: automated + - id: RHEL-10-700190 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "noexec" option. + rules: + - mount_option_var_tmp_noexec + status: automated + - id: RHEL-10-700195 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nosuid" option. + rules: + - mount_option_var_tmp_nosuid + status: automated + - id: RHEL-10-700200 + levels: + - medium + title: RHEL 10 must prevent special devices on nonroot local partitions. + rules: + - mount_option_nodev_nonroot_local_partitions + status: automated + - id: RHEL-10-700400 + levels: + - medium + title: RHEL 10 must enable the SELinux targeted policy. + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + status: automated + - id: RHEL-10-700410 + levels: + - medium + title: RHEL 10 must elevate the SELinux context when an administrator calls the sudo command. + rules: + - selinux_context_elevation_for_sudo + status: automated + - id: RHEL-10-700420 + levels: + - medium + title: RHEL 10 must use a Linux Security Module configured to enforce limits on system services. + rules: + - selinux_state + - var_selinux_state=enforcing + status: automated + - id: RHEL-10-700430 + levels: + - medium + title: RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally + directory. + rules: + - account_password_selinux_faillock_dir + status: automated + - id: RHEL-10-700500 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" + or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated + - id: RHEL-10-700510 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic + Security Service Application Program Interface (GSSAPI) authentication. + rules: + - sshd_disable_gssapi_auth + status: automated + - id: RHEL-10-700520 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos + authentication. + rules: + - sshd_disable_kerb_auth + status: automated + - id: RHEL-10-700530 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication. + rules: + - sshd_disable_rhosts + status: automated + - id: RHEL-10-700540 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts + authentication. + rules: + - sshd_disable_user_known_hosts + status: automated + - id: RHEL-10-700550 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections + for interactive users. + rules: + - sshd_disable_x11_forwarding + status: automated + - id: RHEL-10-700560 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking + of home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated + - id: RHEL-10-700570 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time + of the last successful account login upon an SSH login. + rules: + - sshd_print_last_log + status: automated + - id: RHEL-10-700580 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from + connecting to the proxy display. + rules: + - sshd_x11_use_localhost + status: automated + - id: RHEL-10-700590 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions + are not modified. + rules: + - file_permissions_sshd_config + - directory_permissions_sshd_config_d + - file_permissions_sshd_drop_in_config + notes: > + TODO: STIG recommends to use rpm to verify the permissions. + status: automated + - id: RHEL-10-700600 + levels: + - medium + title: RHEL 10 must be configured so that SSHD accepts public key authentication. + rules: + - sshd_enable_pubkey_auth + status: automated + - id: RHEL-10-700610 + levels: + - medium + title: RHEL 10 must be configured so that SSHD does not allow blank passwords. + rules: + - sshd_disable_empty_passwords + status: automated + - id: RHEL-10-700620 + levels: + - medium + title: RHEL 10 must not permit direct logins to the root account using remote access via Secure + Shell (SSH). + rules: + - sshd_disable_root_login + status: automated + - id: RHEL-10-700630 + levels: + - medium + title: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system. + rules: + - disable_host_auth + status: automated + - id: RHEL-10-700640 + levels: + - high + title: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. + rules: + - sshd_do_not_permit_user_env + status: automated + - id: RHEL-10-700650 + levels: + - high + title: RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections + to the server. + rules: + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + status: automated + - id: RHEL-10-700660 + levels: + - medium + title: RHEL 10 must be configured so that all network connections associated with Secure Shell + (SSH) traffic terminate after becoming unresponsive. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + status: automated + - id: RHEL-10-700670 + levels: + - medium + title: RHEL 10 must forward mail from postmaster to the root account using a postfix alias. + rules: + - postfix_client_configure_mail_alias_postmaster + status: automated + - id: RHEL-10-700680 + levels: + - medium + title: RHEL 10 must not have a "shosts.equiv" file on the system. + rules: + - no_host_based_files + status: automated + - id: RHEL-10-700690 + levels: + - medium + title: RHEL 10 must not have any ".shosts" files on the system. + rules: + - no_user_host_based_files + status: automated + - id: RHEL-10-700700 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface + automount function. + rules: + - dconf_gnome_disable_automount_open + status: automated + - id: RHEL-10-700710 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface + autorun function. + rules: + - dconf_gnome_disable_autorun + status: automated + - id: RHEL-10-700720 + levels: + - high + title: RHEL 10 must not allow unattended or automatic login via the graphical user interface. + rules: + - gnome_gdm_disable_automatic_login + status: automated + - id: RHEL-10-700730 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user smart card + removal action. + rules: + - dconf_gnome_lock_screen_on_smartcard_removal + status: automated + - id: RHEL-10-700740 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the + graphical user interface. + rules: + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_locked + status: automated + - id: RHEL-10-700750 + levels: + - medium + title: RHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity. + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + status: automated + - id: RHEL-10-700760 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical + user interface. + rules: + - dconf_gnome_session_idle_user_locks + status: automated + - id: RHEL-10-700770 + levels: + - medium + title: RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver + is activated. + rules: + - dconf_gnome_screensaver_lock_delay + - var_screensaver_lock_delay=5_seconds + status: automated + - id: RHEL-10-700780 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical + user interface. + rules: + - dconf_gnome_screensaver_user_locks + status: automated + - id: RHEL-10-700790 + levels: + - medium + title: RHEL 10 must conceal, via the session lock, information previously visible on the display + with a publicly viewable image. + rules: + - dconf_gnome_screensaver_mode_blank + status: automated + - id: RHEL-10-700800 + levels: + - medium + title: RHEL 10 must ensure effective dconf policy matches the policy keyfiles. + rules: + - dconf_db_up_to_date + status: automated + - id: RHEL-10-700810 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the + graphical user interface. + rules: + - dconf_gnome_disable_restart_shutdown + status: automated + - id: RHEL-10-700820 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical + user interface. + rules: + - dconf_gnome_disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700830 + levels: + - medium + title: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause + a system to shut down or reboot. + rules: + - disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700840 + levels: + - medium + title: RHEL 10 must disable the user list at login for graphical user interfaces. + rules: + - dconf_gnome_disable_user_list + status: automated + - id: RHEL-10-700850 + levels: + - medium + title: RHEL 10 must be configured to disable USB mass storage. + rules: + - kernel_module_usb-storage_disabled + status: automated + - id: RHEL-10-700860 + levels: + - medium + title: RHEL 10 must disable Bluetooth. + rules: + - kernel_module_bluetooth_disabled + status: automated + - id: RHEL-10-700870 + levels: + - medium + title: RHEL 10 must disable wireless network adapters. + rules: + - wireless_disable_interfaces + status: automated + - id: RHEL-10-700880 + levels: + - medium + title: RHEL 10 must disable the graphical user interface automounter unless required. + rules: + - dconf_gnome_disable_automount_open + status: automated + - id: RHEL-10-700890 + levels: + - low + title: RHEL 10 must disable the graphical user interface autorunner unless required. + rules: + - dconf_gnome_disable_autorun + status: automated + - id: RHEL-10-700900 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. + rules: + - bios_enable_execution_restrictions + status: automated + - id: RHEL-10-700920 + levels: + - medium + title: RHEL 10 must automatically exit interactive command shell user sessions after 15 minutes + of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=15_min + status: automated + - id: RHEL-10-700930 + levels: + - medium + title: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated + - id: RHEL-10-700940 + levels: + - medium + title: RHEL 10 must not default to the graphical display manager unless approved. + rules: + - xwindows_runlevel_target + status: automated + - id: RHEL-10-700950 + levels: + - high + title: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated + - id: RHEL-10-700960 + levels: + - high + title: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700980 + levels: + - medium + title: RHEL 10 must disable the ability of systemd to spawn an interactive boot process. + rules: + - grub2_disable_interactive_boot + status: automated + - id: RHEL-10-700990 + levels: + - medium + title: RHEL 10 must disable virtual system calls. + rules: + - grub2_vsyscall_argument + status: automated + - id: RHEL-10-701000 + levels: + - medium + title: RHEL 10 must clear the page allocator to prevent use-after-free attacks. + rules: + - grub2_page_poison_argument + status: automated + - id: RHEL-10-701010 + levels: + - medium + title: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. + rules: + - grub2_init_on_free + status: automated + - id: RHEL-10-701020 + levels: + - medium + title: RHEL 10 must enable mitigations against processor-based vulnerabilities. + rules: + - grub2_pti_argument + status: automated + - id: RHEL-10-701030 + levels: + - medium + title: RHEL 10 must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated + - id: RHEL-10-701040 + levels: + - medium + title: RHEL 10 must prevent kernel profiling by nonprivileged users. + rules: + - sysctl_kernel_perf_event_paranoid + status: automated + - id: RHEL-10-701050 + levels: + - high + title: RHEL 10 must prevent the loading of a new kernel for later execution. + rules: + - sysctl_kernel_kexec_load_disabled + status: automated + - id: RHEL-10-701060 + levels: + - medium + title: RHEL 10 must restrict exposed kernel pointer address access. + rules: + - sysctl_kernel_kptr_restrict + status: automated + - id: RHEL-10-701070 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. + rules: + - sysctl_fs_protected_hardlinks + status: automated + - id: RHEL-10-701080 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. + rules: + - sysctl_fs_protected_symlinks + status: automated + - id: RHEL-10-701090 + levels: + - medium + title: RHEL 10 must disable the "kernel.core_pattern". + rules: + - sysctl_kernel_core_pattern + status: automated + - id: RHEL-10-701100 + levels: + - medium + title: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module. + rules: + - kernel_module_can_disabled + status: automated + - id: RHEL-10-701110 + levels: + - medium + title: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module. + rules: + - kernel_module_sctp_disabled + status: automated + - id: RHEL-10-701120 + levels: + - medium + title: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module. + rules: + - kernel_module_tipc_disabled + status: automated + - id: RHEL-10-701130 + levels: + - medium + title: RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from + unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated + - id: RHEL-10-701140 + levels: + - medium + title: RHEL 10 must restrict usage of ptrace to descendant processes. + rules: + - sysctl_kernel_yama_ptrace_scope + status: automated + - id: RHEL-10-701150 + levels: + - medium + title: RHEL 10 must disable core dump backtraces. + rules: + - coredump_disable_backtraces + status: automated + - id: RHEL-10-701160 + levels: + - medium + title: RHEL 10 must disable storing core dumps. + rules: + - coredump_disable_storage + status: automated + - id: RHEL-10-701170 + levels: + - medium + title: RHEL 10 must disable core dumps for all users. + rules: + - disable_users_coredumps + status: automated + - id: RHEL-10-701180 + levels: + - medium + title: RHEL 10 must disable acquiring, saving, and processing core dumps. + rules: + - service_systemd-coredump_disabled + status: automated + - id: RHEL-10-701190 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. + rules: + - sysctl_kernel_exec_shield + status: automated + - id: RHEL-10-701200 + levels: + - medium + title: RHEL 10 must disable the kdump service. + rules: + - service_kdump_disabled + status: automated + - id: RHEL-10-701210 + levels: + - medium + title: RHEL 10 must disable file system automount function unless required. + rules: + - service_autofs_disabled + status: automated + - id: RHEL-10-701220 + levels: + - medium + title: RHEL 10 must enable certificate-based smart card authentication. + rules: + - sssd_enable_smartcards + status: automated + - id: RHEL-10-701230 + levels: + - medium + title: RHEL 10 must implement certificate status checking for multifactor authentication. + rules: + - sssd_certificate_verification + - var_sssd_certificate_verification_digest_function=sha512 + status: automated + - id: RHEL-10-701240 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding + private key. + rules: + - ssh_keys_passphrase_protected + status: automated + - id: RHEL-10-701250 + levels: + - medium + title: RHEL 10 must require authentication to access emergency mode. + rules: + - require_emergency_target_auth + status: automated + - id: RHEL-10-701260 + levels: + - medium + title: RHEL 10 must require authentication to access single-user mode. + rules: + - require_singleuser_auth + status: automated + - id: RHEL-10-701270 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification + path (which includes status information) to an accepted trust anchor. + rules: + - sssd_has_trust_anchor + status: automated + - id: RHEL-10-701280 + levels: + - medium + title: RHEL 10 must map the authenticated identity to the user or group account for public key + infrastructure (PKI)-based authentication. + rules: + - sssd_enable_certmap + status: automated + - id: RHEL-10-701290 + levels: + - medium + title: RHEL 10 must prohibit the use of cached authenticators after one day. + rules: + - sssd_offline_cred_expiration + status: automated + - id: RHEL-10-800000 + levels: + - medium + title: RHEL 10 must control remote access methods. + rules: + - configure_firewalld_ports + status: automated + - id: RHEL-10-800010 + levels: + - medium + title: RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, + and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category + Assignments List (CAL) and vulnerability assessments. + rules: + - firewalld_sshd_port_enabled + status: automated + - id: RHEL-10-800020 + levels: + - medium + title: RHEL 10 must enforce that network interfaces not be in promiscuous mode. + rules: + - network_sniffer_disabled + status: automated + - id: RHEL-10-800030 + levels: + - medium + title: RHEL 10 must disable access to the network bpf system call from nonprivileged processes. + rules: + - sysctl_kernel_unprivileged_bpf_disabled + status: automated + - id: RHEL-10-800040 + levels: + - medium + title: RHEL 10 must securely compare internal information system clocks at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - var_multiple_time_servers=stig + - var_time_service_set_maxpoll=18_hours + status: automated + - id: RHEL-10-800050 + levels: + - medium + title: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler. + rules: + - sysctl_net_core_bpf_jit_harden + status: automated + - id: RHEL-10-800060 + levels: + - medium + title: RHEL 10 must have at least two name servers configured for systems using Domain Name Server + (DNS) resolution. + rules: + - network_configure_name_resolution + status: automated + - id: RHEL-10-800070 + levels: + - medium + title: RHEL 10 must not have unauthorized IP tunnels configured. + rules: + - libreswan_approved_tunnels + status: automated + - id: RHEL-10-800080 + levels: + - medium + title: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated + - id: RHEL-10-800090 + levels: + - medium + title: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol + (ICMP) redirect messages. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated + - id: RHEL-10-800100 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated + - id: RHEL-10-800110 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses. + rules: + - sysctl_net_ipv4_conf_all_log_martians + status: automated + - id: RHEL-10-800120 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by + default. + rules: + - sysctl_net_ipv4_conf_default_log_martians + status: automated + - id: RHEL-10-800130 + levels: + - medium + title: RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces. + rules: + - sysctl_net_ipv4_conf_all_rp_filter + status: automated + - id: RHEL-10-800140 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol + (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated + - id: RHEL-10-800150 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated + - id: RHEL-10-800160 + levels: + - medium + title: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic + when possible by default. + rules: + - sysctl_net_ipv4_conf_default_rp_filter + status: automated + - id: RHEL-10-800170 + levels: + - medium + title: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast + address. + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + status: automated + - id: RHEL-10-800180 + levels: + - medium + title: RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response + errors logs. + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + status: automated + - id: RHEL-10-800190 + levels: + - medium + title: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated + - id: RHEL-10-800200 + levels: + - medium + title: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects + by default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated + - id: RHEL-10-800210 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the + system is a router. + rules: + - sysctl_net_ipv4_conf_all_forwarding + status: automated + - id: RHEL-10-800220 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) + interfaces. + rules: + - sysctl_net_ipv6_conf_all_accept_ra + status: automated + - id: RHEL-10-800230 + levels: + - medium + title: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated + - id: RHEL-10-800240 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated + - id: RHEL-10-800250 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the + system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated + - id: RHEL-10-800260 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) + interfaces by default. + rules: + - sysctl_net_ipv6_conf_default_accept_ra + status: automated + - id: RHEL-10-800270 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol + (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated + - id: RHEL-10-800280 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated + - id: RHEL-10-800290 + levels: + - medium + title: RHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by + ensuring that rate-limiting measures on impacted network interfaces are implemented. + rules: + - firewalld-backend + related_rules: + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + notes: > + TODO: resolve mismatch of title and description + status: automated + - id: RHEL-10-800300 + levels: + - medium + title: RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with + other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks. + rules: + - networkmanager_dns_mode + - var_networkmanager_dns_mode=explicit_default + status: automated + - id: RHEL-10-800310 + levels: + - medium + title: RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol + (TFTP) server service is required. + rules: + - tftp_uses_secure_mode_systemd + status: automated + - id: RHEL-10-900000 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent + unauthorized access. + rules: + - file_permissions_etc_audit_auditd + status: automated + - id: RHEL-10-900100 + levels: + - medium + title: RHEL 10 must prevent unauthorized changes to the audit system. + rules: + - audit_rules_immutable + status: automated + - id: RHEL-10-001000 + levels: + - high + title: RHEL 10 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated