Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate
Rules and Groups employed by this XCCDF Profile
-
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...Group -
Ensure Authentication Required for Single User Mode
Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.Rule Medium Severity -
Ensure that System Accounts Are Locked
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts. <br> ...Rule Medium Severity -
Ensure that System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be grant...Rule Medium Severity -
Enforce usage of pam_wheel for su authentication
To ensure that only users who are members of the <code>wheel</code> group can run commands with altered privileges through the <code>su</code> command, make sure that the following line exists in t...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Configure auditd Rules for Comprehensive Auditing
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...Group -
Ensure auditd Collects Information on Exporting to Media (successful)
At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read aud...Rule Medium Severity -
Record Attempts to Alter Process and Session Initiation Information
The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during d...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit ...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/group
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/gshadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/security/opasswd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/passwd
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Events that Modify User/Group Information - /etc/shadow
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <co...Rule Medium Severity -
Record Attempts to perform maintenance activities
The Red Hat Enterprise Linux 9 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating...Rule Medium Severity -
System Audit Logs Must Have Mode 0750 or Less Permissive
If <code>log_group</code> in <code>/etc/audit/auditd.conf</code> is set to a group other than the <code>root</code> group account, change the mode of the audit log files with the following command...Rule Medium Severity -
System Audit Logs Must Be Group Owned By Root
All audit logs must be group owned by root user. The path for audit log can be configured via <code>log_file</code> parameter in <pre>/etc/audit/auditd.conf</pre> or, by default, the path for audit...Rule Medium Severity -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Audit Configuration Files Must Be Owned By Root
All audit configuration files must be owned by root user. To properly set the owner of <code>/etc/audit/</code>, run the command: <pre>$ sudo chown root /etc/audit/ </pre> To properly set the own...Rule Medium Severity -
System Audit Logs Must Be Owned By Root
All audit logs must be owned by root user and group. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner of <code>/var/log/audit</code>, run the command: <p...Rule Medium Severity -
Audit Configuration Files Permissions are 640 or More Restrictive
All audit configuration files permissions must be 640 or more restrictive.chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
System Audit Logs Must Have Mode 0640 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log</pre> Configure the audit log to be p...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls
At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify sy...Group -
Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchmodat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fchownat
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lchown
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum, the audit system should collect file permission changes for all users and root. <br> <br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</...Rule Medium Severity -
Record Events that Modify the System's Discretionary Access Controls - setxattr
At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audi...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Group -
Record Attempts to Alter Logon and Logout Events - faillock
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Record Attempts to Alter Logon and Logout Events - lastlog
The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during dae...Rule Medium Severity -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to wri...Group -
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by <code>auditd</code>, add or correct the lin...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
Verify /boot/grub2/grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Verify /boot/grub2/user.cfg Group Ownership
The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/boot/grub2...Rule Medium Severity -
Verify /boot/grub2/grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity -
Verify /boot/grub2/user.cfg User Ownership
The file <code>/boot/grub2/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properly set the owner of <code>/boot/grub2/user.cfg</co...Rule Medium Severity -
Verify /boot/grub2/grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Verify /boot/grub2/user.cfg Permissions
File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.